Return to: U of M Home
A security incident is a computer or network based activity which results (or may result) in misuse, damage, denial of service, compromise of integrity, or loss of confidentiality of a network, computer, application, or data; and threats, misrepresentations of identity, or harassment of or by individuals using these resources. The prohibition of these activities is covered in the Acceptable Use of Information Technology Resources Policy, A/A 2.8.1
See Reporting Violations in the University's Acceptable Use of Information Technology Resources at www.policy.umn.edu/groups/ppd/documents/procedure/rept_violations.cfm
To report a virus, contact 1-HELP, 612-301-4357.
See Reporting and Notifying Individuals of Security Breaches at
http://www.policy.umn.edu/groups/ppd/documents/policy/SecurityBreach_pol.cfm and for more information, see http://www.policy.umn.edu/groups/ppd/documents/procedure/SecurityBreach_proc1.cfm
Reporting and response to security incidents is handled by OIT Assurance & Security in the Office of Information Technology. Central coordination of incident response at the University provides a broader vision of the nature, scope and severity of attacks. It can also provide greater information for identification of individuals or sites, which launch attacks, reduce duplication of effort in up-stream notification (of sites which are used to launch attacks), and provide a central point-of-contact for law enforcement and other incident response teams. Further, it may provide an opportunity to warn those whose systems have been recently compromised that they are, before substantial damage is done.
Security incidents often expose University data—and data about members of the University community—to potential deletion, modification, or unauthorized release. Federal and state law protects some data, some data is critical to the University's mission and business, and all data is important to the owners. Security incidents may involve the University in threats to people and resources outside the University, for which the University may be liable. In addition, many security incidents can deny authorized users access to the resources they need
The process by which incidents are handled is outlined below. It is not intended to provide complete details of incident handling.
Once an incident is reported, OIT Assurance and Security will assess the immediate requirements. In the event that an attack is in progress, unless ongoing surveillance is requested in pursuit of evidence for a criminal or civil action, the response team will take remedial action to discontinue the attack. This action may include temporary denial of service to or from hosts, subnets, or domains inside or external to the University.
When an incident involving an apparently compromised host is reported or discovered, OIT Assurance & Security will notify departmental contacts for affected University computers and site contacts for originating or other affected sites. OIT Assurance & Security may contact departmental administrators about possible risk, or other incident response teams. If a University system has been used for an intrusion attack on systems outside the University, OIT Assurance & Security will attempt to notify vulnerable or compromised down-stream sites.
If the attack is not in progress (or evidence is being gathered), OIT Assurance & Security will contact appropriate departmental security contacts. OIT Assurance & Security will report the allegations to departmental security contacts and work with departmental system and network administrators to gather evidence to try to confirm the attack(s); identify the vulnerabilities that permitted them; identify compromised accounts or hosts; and take remedial action to prevent further abuse. OIT Assurance & Security will collect copies of evidence for analysis, and for use in any legal action against the perpetrators.
If an attack is in progress or it is suspected that a compromised host may be collecting sensitive data, or if OIT Assurance & Security cannot reach the departmental contact within a reasonable period, OIT Assurance & Security may take action to protect other systems from compromise. In this case, service to an affected host will be restored when the system has been cleansed of intrusion (generally by audit of potentially compromised user accounts, removal of affected files, reinstallation of the operating system, and proper patching of the system and its vulnerable applications). OIT Assurance & Security may request copies of intrusion tools from affected hosts; in rare cases, it may request an opportunity to evaluate the host(s) before they are reinstalled.
If an attack is launched through the NTS modem pool, OIT Assurance & Security will request OIT staff to disable the account through which the dialup was authenticated. Account holders will be directed to speak with the Security Incident Response Coordinator prior to having the account re-enabled.
From time to time OIT Assurance & Security detects misuse of user accounts. Misused or apparently compromised student and alumnus accounts are closed, pending discussion with the account holder and change of password. Misuse of accounts may be referred for disciplinary or legal action.
Time is of the essence in many security incidents. If a system administrator or security contact for a particular host cannot be identified or located in a timely manner, OIT Assurance & Security may determine that disconnection from the network is necessary. This action and authority has been delegated by the Chief Information Officer (CIO) to OIT Assurance & Security staff to protect the University network and interests.
If you are annoyed by unsolicited e-mail and/or junk mail, you are not alone. For more information on what it is and what you should do, see the Spam documentation.
OIT Security and Assurance periodically scans the University for vulnerabilities. Due to the dynamic nature of the Internet and Internet threats, we are unable to alert the community for every scan that we are going to do. In general, these scans should have minimal impact on service. If impact is more than minimal, please contact us at abuse@umn.edu. Thanks for your support in the on-going efforts to help protect the University Network.
A network attack is defined as a threat, intrusion, denial-of-service, or other attack on network infrastructure, computer system(s), or user account(s). A network attack can be recognized by changes on your computer that were not made by you, such as files erased or changed and programs running that you didn't start. If your computer is operating much slower than usual, but only when plugged-in to the network/Internet, a denial-of-service or other network attack may be in progress directed at your computer, your building, or the whole U of M computer network. Rarely are network attacks directed at a faculty, student, or staff person. More often, attackers are not intending to harm an individual; they are searching for an easily compromised computer from which to launch another attack.
Simovits Consulting maintains a List of Trojan Horses and default ports used by Trojans.
Change Passwords
After all security holes or configuration problems have been patched or corrected, we suggest that you change the passwords of ALL accounts on the affected system(s). Ensure that passwords for all accounts are not easy to guess. You may want to consider using vendor-supplied or third-party tools to enforce your password policies.
Caution on Backups
When restoring data from a backup, ensure that the backup itself is from an uncompromised machine. Keep in mind that you could re-introduce a vulnerability that would allow an intruder to gain unauthorized access. Also, if you are only restoring users' home directories and data files, keep in mind that any of those files could contain Trojan horse programs. You may want to pay close attention to .rhosts files in users' home directories.
See CERT's Steps for Recovering from a UNIX or NT System Compromise at http://www.cert.org/tech_tips/root_compromise.html
For Reinstall Steps for desktops, see the steps on Safe Computing.
Consult the information on this and other web sites and particularly the Server Security Guideline.
For more information on identity theft as well as what to do if your personal information becomes exposed or if you actually become a victim of identity theft, see Identity Theft on the Safe Computing web site.
The Information Technology Support Staffing Standard outlines the responsibilities and expectations for Technology Support staff and their departments.
Many of the major anti-virus vendors maintain a list of viruses.
Antivirus Research Center - Symantec
There are a number of websites that maintain this information.
The only way to be 100% sure that you are "clean" is to backup important documents and files, then reinstall the system from CDROM. The original CDROM from the software manufacturer is read-only and cannot be tampered with. The latest virus checker might help by attempting to clean the system but it's not 100% sure of the system integrity. Once you reinstall your system, install a new version of antivirus software and consider installing a personal firewall software package.
For Removal/Reinstall Steps for desktops, see the steps on Safe Computing.
It depends on your email software. Spamcop.net provides instructions for some of the more popular programs at http://spamcop.net/fom-serve/cache/19.htm
The University Policy is located at: www.policy.umn.edu/groups/ppd/documents/policy/Acceptable_Use.cfm