myU OneStop


What's Inside

Related Links

Technology Help

System Status

What is a Security Incident?
What and where to report a security incident?
Where to report security breaches?
What are some types of security incidents?
Who handles security incidents?
Why should you care?
What is the incident response process?
Why was I disconnected?

Frequently Asked Questions:

What is a Security Incident?

A security incident is a computer or network based activity which results (or may result) in misuse, damage, denial of service, compromise of integrity, or loss of confidentiality of a network, computer, application, or data; and threats, misrepresentations of identity, or harassment of or by individuals using these resources. The prohibition of these activities is covered in the  Acceptable Use of Information Technology Resources Policy

What & where to report a security incident?

See Reporting Violations in the University's Acceptable Use of Information Technology Resources at  www.policy.umn.edu/groups/ppd/documents/procedure/rept_violations.cfm

To report a virus, contact 1-HELP, 612-301-4357.

Where to report security breaches?

See Reporting and Notifying Individuals of Security Breaches at
http://www.policy.umn.edu/groups/ppd/documents/policy/SecurityBreach_pol.cfm and for more information, see http://www.policy.umn.edu/groups/ppd/documents/procedure/SecurityBreach_proc1.cfm

What are some types of security incidents?

  • Root-level attacks on networking infrastructure, critical systems, or large, multi-purpose or dedicated servers.
  • Compromise of privileged accounts on computer systems.
  • Denial-of-service attacks on networking infrastructure and critical systems.
  • Attacks launched on others from within umn.edu.
  • Compromise of individual user accounts or desktop (single-user) systems.
  • Scans of University systems originating from the Internet.
  • Spam and mail forgery that originates from, or is relayed through umn.edu.
  • Viruses, Worms and Trojan Horses.
  • Threats to individuals (only in conjunction with law enforcement).
  • For additional examples of Security Incidents, see    University's Acceptable Use of Information Technology Resources Policy, Appendix N

Who handles security incidents?

Reporting and response to security incidents is handled by OIT Assurance & Security in the Office of Information Technology. Central coordination of incident response at the University provides a broader vision of the nature, scope and severity of attacks. It can also provide greater information for identification of individuals or sites, which launch attacks, reduce duplication of effort in up-stream notification (of sites which are used to launch attacks), and provide a central point-of-contact for law enforcement and other incident response teams. Further, it may provide an opportunity to warn those whose systems have been recently compromised that they are, before substantial damage is done.

Why should you care?

Security incidents often expose University data—and data about members of the University community—to potential deletion, modification, or unauthorized release. Federal and state law protects some data, some data is critical to the University's mission and business, and all data is important to the owners. Security incidents may involve the University in threats to people and resources outside the University, for which the University may be liable. In addition, many security incidents can deny authorized users access to the resources they need

What is the incident response process?

The process by which incidents are handled is outlined below. It is not intended to provide complete details of incident handling.

Once an incident is reported, OIT Assurance and Security will assess the immediate requirements. In the event that an attack is in progress, unless ongoing surveillance is requested in pursuit of evidence for a criminal or civil action, the response team will take remedial action to discontinue the attack. This action may include temporary denial of service to or from hosts, subnets, or domains inside or external to the University.

When an incident involving an apparently compromised host is reported or discovered, OIT Assurance & Security will notify departmental contacts for affected University computers and site contacts for originating or other affected sites. OIT Assurance & Security may contact departmental administrators about possible risk, or other incident response teams. If a University system has been used for an intrusion attack on systems outside the University, OIT Assurance & Security will attempt to notify vulnerable or compromised down-stream sites.

If the attack is not in progress (or evidence is being gathered), OIT Assurance & Security will contact appropriate departmental security contacts. OIT Assurance & Security will report the allegations to departmental security contacts and work with departmental system and network administrators to gather evidence to try to confirm the attack(s); identify the vulnerabilities that permitted them; identify compromised accounts or hosts; and take remedial action to prevent further abuse. OIT Assurance & Security will collect copies of evidence for analysis, and for use in any legal action against the perpetrators.

If an attack is in progress or it is suspected that a compromised host may be collecting sensitive data, or if OIT Assurance & Security cannot reach the departmental contact within a reasonable period, OIT Assurance & Security may take action to protect other systems from compromise. In this case, service to an affected host will be restored when the system has been cleansed of intrusion (generally by audit of potentially compromised user accounts, removal of affected files, reinstallation of the operating system, and proper patching of the system and its vulnerable applications). OIT Assurance & Security may request copies of intrusion tools from affected hosts; in rare cases, it may request an opportunity to evaluate the host(s) before they are reinstalled.

If an attack is launched through the NTS modem pool, OIT Assurance & Security will request OIT staff to disable the account through which the dialup was authenticated. Account holders will be directed to speak with the Security Incident Response Coordinator prior to having the account re-enabled.

From time to time OIT Assurance & Security detects misuse of user accounts. Misused or apparently compromised student and alumnus accounts are closed, pending discussion with the account holder and change of password. Misuse of accounts may be referred for disciplinary or legal action.

Why was I disconnected?

Time is of the essence in many security incidents. If a system administrator or security contact for a particular host cannot be identified or located in a timely manner, OIT Assurance & Security may determine that disconnection from the network is necessary. This action and authority has been delegated by the Chief Information Officer (CIO) to OIT Assurance & Security staff to protect the University network and interests.

FAQs

I am frustrated about all the spam I am receiving, what should I do?

If you are annoyed by unsolicited e-mail and/or junk mail, you are not alone. For more information on what it is and what you should do, see the Spam documentation.

Does OIT Security announce vulnerability scans?

OIT Security and Assurance periodically scans the University for vulnerabilities. Due to the dynamic nature of the Internet and Internet threats, we are unable to alert the community for every scan that we are going to do.  In general, these scans should have minimal impact on service.  If impact is more than minimal, please contact us at abuse@umn.edu.  Thanks for your support in the on-going efforts to help protect the University Network.

Where can I find current information on current incidents and advisories?

What is a network attack?

A network attack is defined as a threat, intrusion, denial-of-service, or other attack on network infrastructure, computer system(s), or user account(s). A network attack can be recognized by changes on your computer that were not made by you, such as files erased or changed and programs running that you didn't start. If your computer is operating much slower than usual, but only when plugged-in to the network/Internet, a denial-of-service or other network attack may be in progress directed at your computer, your building, or the whole U of M computer network. Rarely are network attacks directed at a faculty, student, or staff person. More often, attackers are not intending to harm an individual; they are searching for an easily compromised computer from which to launch another attack.

What are some of the default ports used by Trojans?

Simovits Consulting maintains a  List of Trojan Horses and default ports used by Trojans.

What do I need to do if after my computer has been compromised?

  • After reporting the incident, wait for OIT Security to work with you to discuss the next steps.  If a specific computer is involved, it must remain powered on, but disconnected from the network until OIT Security can review and assess next steps.  After getting the approval from OIT Security, we encourage you to restore your system by re-installing the operating system using the original distribution media .
  • Keep in mind that if a machine is compromised, anything on that system could have been modified, including the kernel, binaries, data files, running processes, and memory. In general, the only way to trust that a machine is free from backdoors and intruder modifications is to reinstall the operating system from the distribution media and install all of the security patches before connecting back to the network. Merely determining and fixing the vulnerability that was used to initially compromise this machine may not be enough.

  • Change Passwords
    After all security holes or configuration problems have been patched or corrected, we suggest that you change the passwords of ALL accounts on the affected system(s). Ensure that passwords for all accounts are not easy to guess. You may want to consider using vendor-supplied or third-party tools to enforce your password policies.

    Caution on Backups
    When restoring data from a backup, ensure that the backup itself is from an uncompromised machine. Keep in mind that you could re-introduce a vulnerability that would allow an intruder to gain unauthorized access. Also, if you are only restoring users' home directories and data files, keep in mind that any of those files could contain Trojan horse programs. You may want to pay close attention to .rhosts files in users' home directories.

    See CERT's Steps for Recovering from a UNIX or NT System Compromise at http://www.cert.org/tech_tips/root_compromise.html

    For Reinstall Steps for desktops, see the steps on Safe Computing.

Where can I find information on securing various operating systems?

Consult the information on this and other web sites and particularly the  Server Security Guideline.

Where can I find more information on how to protect myself from identity theft or what to do if my personal information becomes exposed?

For more information on identity theft as well as what to do if your personal information becomes exposed or if you actually become a victim of identity theft, see      Identity Theft on the Safe Computing web site.

What are the responsibilities and expectations for University Technology Support Staff administrators?

The Information Technology Support Staffing Standard outlines the responsibilities and expectations for Technology Support staff and their departments.

Where can I find information on viruses?

Many of the major anti-virus vendors maintain a list of viruses.
Antivirus Research Center - Symantec

Where can I find information on myths, hoaxes and chain letters?

There are a number of websites that maintain this information.

What do I need to do to make sure that a virus has been completely removed from my computer?

The only way to be 100% sure that you are "clean" is to backup important documents and files, then reinstall the system from CDROM. The original CDROM from the software manufacturer is read-only and cannot be tampered with. The latest virus checker might help by attempting to clean the system but it's not 100% sure of the system integrity. Once you reinstall your system, install a new version of antivirus software and consider installing a personal firewall software package.

For Removal/Reinstall Steps for desktops, see the steps on Safe Computing.

How do I get my e-mail program to reveal the full, unmodified email, including headers?

It depends on your email software. Spamcop.net provides instructions for some of the more popular programs at http://spamcop.net/fom-serve/cache/19.htm

What is the University's policy on Acceptable Use of Technology Resources?

The University Policy is located at:      www.policy.umn.edu/groups/ppd/documents/policy/Acceptable_Use.cfm