HSU has established best practice procedures that must be followed whenever a computer connected to a University network is suspected of having been compromised by a virus or other threat. This procedure is a requirement under our data protection compliance mandate, so it is particularly important to determine whether Level 1 protected data is stored on the affected system.
Systems unlikely to contain Level 1 protected data do not require preemptive forensics work by the Campus Information Security Office, which involves the removal of the physical machine to a separate facility for detailed investigation. However, if the presence of Level 1 data is identified at any point during the investigation, all work by campus IT staff and anyone not a member of the Campus Incident Response Team (CIRT) technical team designated by the Information Security Office should immediately stop.
Do not unplug, turn off, disconnect, or otherwise touch the computer in any way UNLESS you strongly suspect that Level 1 protected data is in the process of being removed from the system as a result of the compromise and that your actions would prevent this.
Before you begin
Do not take any steps to examine the machine until you have determined to the best of your ability that Level 1 information is not present on the system.
Start by asking the user or their supervisor if it is likely that Level 1 information is present on the machine.
- If they indicate it is likely that the system contains Level 1 data, have everyone take their hands off the system and contact the Information Security Office immediately at (707) 826-3815.
- If they indicate there is little or no likelihood that Level1 data is on the system, follow the Compromised Information Security Procedure below.
Compromised Information Security Procedure
- Disconnect the system from the network
- Consult with the Information Security Office regarding the appropriate security tools to use to examine the system to determine whether or not it has been compromised.
- If the system is positively identified as being infected by a virus or other malware, proceed to the next step.
- If you run all the listed tools and there is no compelling evidence of infection or other compromise, inform the Information Security Office and stop your investigation.
Identify the threat
- Attempt to identify the threat by consulting the Sophos website. Be aware that other security organizations or vendors may use different names for the same threat, so it's best to use a single information source to avoid confusion.
- If the compromise is identified as severe - usually either a trojan or a rootkit - proceed to the next step.
- If the compromise is NOT identified as severe and you are able to remove the threat, go ahead and disinfect the system and report your results to the Information Security Office.
For severely compromised systems
- In the case of a severe threat to the security of a system, run an Identity Finder scan for Level 1 protected data.
- If you find Level 1 information, stop and contact Information Security immediately.
- If you do not find Level 1 or Level 2 data, wipe the drive, re-install clean copies of the operating system and applications, and report your results to Information Security.
If you have questions at any stage of this, please stop and contact Information Security. Dealing with security compromises requires that specific procedures be followed in order to establish an audit trail. It is not an opportunity to experiment.