Aberystwyth University Security Incident Response Procedure
Potential security incidents are investigated by the Information Services Computer Emergency Response Team (CERT) using information from the following sources:
- Contact from system owners: A user or system administrator of a computer system on the A.U. network contacts Information Services and reports indications that his/her system has been compromised.
- Contact from external system owners: A system administrator from remote sites contacts Information Services CERT with reports that systems under their control have been compromised, and forensic analysis reveals that they had been used to launch attacks against systems on the A.U. network.
- Contact from external CERT organisations: Incident reports from external security bodies indicate that a system under our control has been compromised and is launching attacks against systems external to the A.U. network.
- Trouble reports/passive monitoring: Complaints about network performance or routine network analysis reveal excessive or suspicious traffic originating from one or more computers on the A.U. network.
- Active network monitoring: Reports from Intrusion Detection Systems indicates inappropriate, incorrect, or anomalous activity.
Once a potential problem has been identified, Information Services CERT will analyse it and attempt to confirm that it is the result of a security incident. This may include traffic flow recording, packet capture and/or contacting the owner of the affected system(s). This allows Information Services CERT to determine the likelihood that a security incident has occurred and what level of threat it poses to the network as a whole. Occasionally, this process will result in very brief interruptions of network service, but Information Services CERT will make every effort to minimize these. Incidents can be broadly categorized as:
- A compromised computer is actively causing wide-spread problems affecting a number of networks or computers either at A.U. or elsewhere.
- A computer is transferring confidential or sensitive information to an unauthorized user.
- A computer critical to the business functions of A.U. is compromised but is not actively causing problems.
- A violation is reported to Information Services CERT via external CERT organisations.
- A computer is believed to be vulnerable to a known exploit.
Where an incident is likely to affect a number of computers, impact the network more widely, or where there is a possibility that data has been compromised, the Information Security Working Group (InfoSec) will also be informed at the earliest opportunity. This particularly relates to scenarios 1 and 2 above.
Contain and Eradicate
Once a security incident has been positively identified, Information Services CERT will act to isolate the affected machine(s). Compromised hosts are often the source of DoS attacks, which greatly degrade the performance of the A.U. network, and can also be used as launching points for attacks against other systems, potentially opening the university to legal liability. Consequently, Information Services CERT must act to remedy security problems immediately.
In serious cases, Information Services CERT may be required to work with the police as directed by the University.
- In the case of a compromised computer that is actively causing wide-spread problems affecting networks or computers at A.U.. or elsewhere, Information Services CERT will block the computer from the network then notify the owner.
- In the case of a computer which is compromised but not actively causing problems, Network staff will first notify the system owner and request that he/she remove it from the network.
- In the case of a violation report from an external CERT organisation, Information Services CERT will block the computer from the network, and request that the user explain their actions, or allow Information Services CERT to analyse the system.
- When internal security scans reveal that a computer may be vulnerable to a known exploit, Information Services CERT will notify the system owner with instructions and a deadline for securing the vulnerability. The timescale will vary depending on the severity of the exploit and how many times the primary contact has already attempted to correct the problem. If no action has been taken after this time the computer will be blocked from the network.
Once a computer has been disconnected from the network, it is then the owner's responsibility to reformat disks and/or reinstall software on the machine and take any other steps necessary to secure it from future attacks. Information Services may be able to offer advice, but this would depend on factors such as acquaintance with the system in use and whether it had been supplied and configured originally by I.S.
Once the computer is secured, it is the owner's responsibility to contact Information Services CERT team, who will then allow it to be reconnected to the network. At this point, a security scan will be run to verify that the system has been secured. Results will be forwarded to the computer owner.
Refusal by the system's owner to fully co-operate with requests from Information Services CERT will be notified to the University authorities.