Presentation is loading. Please wait.

Presentation is loading. Please wait.

Responding to a Security Incident Maryland Security Day March 2, 2004 Joy Hughes, CIO

Published byBertha Jennifer Walsh Modified over 8 years ago

Similar presentations

Presentation on theme: "Responding to a Security Incident Maryland Security Day March 2, 2004 Joy Hughes, CIO"— Presentation transcript:

1 Responding to a Security Incident Maryland Security Day March 2, 2004 Joy Hughes, CIO jhughes@gmu.edu http://www.gmu.edu/intrusion

2 Developing a Response Capacity in Fall 2004 Developing a Response Capacity in Fall 2004  CSIRT-tech IT Security Coordinator formed team with Windows engineer, Unix engineer & Net engineer; sent team to SANS incident response training.  CSIRT-exec Deputy CIO formed team with university counsel, VP of UR., FERPA officer, President’s Chief of Staff, and University Safety Officer.

3 Incident Description  January 3 rd, ITU Windows Server Manager noticed his servers being probed by server in ID Card Office.  Rushed to ID Card Office and removed server from network. Then called CSIRT-Tech  Contained damage, preserved evidence, enabled restoration of service, determined files contained SSNs.

4 Incident Handling  Grade: B network dir  CSIRT-Exec decided community had to be notified; president agreed.

5 Getting/Sharing the Facts  Took 3 days to ascertain: - no other servers on LAN were compromised (some had credit card numbers); - no files on original server had other private data; & - get advice from Feds as to how community could protect their identities (but this advice too strong)

6 Getting/Sharing the Facts  Another 2.5 days to get email delivered to every class of customer  Could not tell if the files had been downloaded or copied and law enforcement forensics teams are too overloaded to work quickly so contracted with forensics firm

7 Getting/Sharing the Facts  Struggled to determine if ID cards were the target. This caused us to contract with police to patrol residence halls and eventually to issue new ID cards to every resident student

8 Assigning Roles  Law Enforcement Coordination – Campus Police (FC, FBI)  Communication strategy – University Relations  Communication point - CIO  Coordination – CIO

9 More Roles  Technical Remediation – Executive Director: Technology Systems Division  Customer Web Site – Public Relations  Were the files copied? Who did what? Are any other servers in danger? – Forensics Firm  Assist Forensics Firm: IT Security Coordinator

10 Work Involved  Engaged and worked with Forensics Firm, every day  Worked with law enforcement  Interviews with Washington Post, local papers and national.coms  Student newspaper (twice)  Hundreds of phone calls, hundreds of emails

11 Work Involved  Implemented new ID card software  Reissued ID cards for resident students  Vendor reps, some well connected, persisted in efforts to sell security stuff and identity theft protection services

12 Work Involved  Did a line by line comparison of 36,000 records in ID Card database with corresponding records in student system  Surveyed every department to see if they stored private admin data on a server, then worked with company to assess security of every one of these servers

13 Work Involved  Responded to legislative interest, including a bill to turn over all security incident handling to VITA  Wrote and rewrote updates to web site  Campus police investigated every reported problem

14 Lessons Learned  SSNs are not, by themselves, of interest to criminals looking for a scalable return  A percentage of people panic on the issue; more effort needs to be expended to control panic  SAs do not know what is on their servers  Eliminating SSN as identifier is not sufficient to protect SSNs

15 Lessons Learned  You can not say to the public “it wasn’t my server.”  Keep hour by hour records of your response  Need to train all SAs in preserving evidence and containing damage

16 Future  Hardware, software & policy changes that will enable: log, log, log  Much more ITU involvement in protecting other people’s servers (e.g. MS 2-day)  Accelerate intrusion detection implementation

17 Future  Accelerate VPN  Accelerate authentication project  Develop curriculum, templates, etc. to aid SAs in preserving evidence & containing damage  Implement perimeter firewall

18 Future  Insist all data files be removed from web servers  Insist all shared drives with sensitive data be specially protected  Build security into employee performance plans

19 Future  Ensure CIO has same great relationship with new VP of U.R.

Download ppt "Responding to a Security Incident Maryland Security Day March 2, 2004 Joy Hughes, CIO"

Similar presentations

Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Detecting, Preventing and Mitigating Identity Theft Presented by the Bursar’s Office.

Detecting, Preventing and Mitigating Identity Theft Presented by the Bursar’s Office.
Crisis Communications for Security Issues: A Nightmare You Can Manage Marilu Goodyear Donna Liss Allison Rose Lopez Jenny Mehmedovic The University of.

Crisis Communications for Security Issues: A Nightmare You Can Manage Marilu Goodyear Donna Liss Allison Rose Lopez Jenny Mehmedovic The University of.
Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
Protecting Personal Information Guidance for Business.

Protecting Personal Information Guidance for Business.
FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.

FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.
STOP.THINK.CONNECT™ NATIONAL CYBERSECURITY AWARENESS CAMPAIGN SMALL BUSINESS PRESENTATION.

STOP.THINK.CONNECT™ NATIONAL CYBERSECURITY AWARENESS CAMPAIGN SMALL BUSINESS PRESENTATION.
Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.

Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.
Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.

Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,

CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
 Single sign-on o Centralized and federated passport o Federated Liberty Alliance and Shibboleth  Authorization o Who can access which resource o ACM.

 Single sign-on o Centralized and federated passport o Federated Liberty Alliance and Shibboleth  Authorization o Who can access which resource o ACM.
Password District Data Breach Exercise [District Name] [Date] [Logo]

Password District Data Breach Exercise [District Name] [Date] [Logo]
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Group Presentation Design and Implementation of a company- wide networking & communication technologies strategy 9 th December 2003 Prepared By: …………

Group Presentation Design and Implementation of a company- wide networking & communication technologies strategy 9 th December 2003 Prepared By: …………
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,

DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.

University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.
Risk Assessment 101 Kelley Bradder VP and CIO Simpson College.

Risk Assessment 101 Kelley Bradder VP and CIO Simpson College.
© 2003, EDUCAUSE Information Privacy: Public Policy and Institutional Policies Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security.

© 2003, EDUCAUSE Information Privacy: Public Policy and Institutional Policies Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security.
Network security policy: best practices

Network security policy: best practices
Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.

Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.

Similar presentations

Ads by Google