...
Once a problem has been identified, we assess. Assessment may involve conversations with users, deep analysis of log data, and identification and forensic investigation of affected systems. In complex cases, we may engage third parties, for example, cybersecurity firms with expertise in the area where we've experienced a compromise.
Investigation and assessment can be difficult and it is sometimes intrusive. It may require careful examination of things like activity logs and email. In general, ITS takes the privacy of the Carleton community very seriously and will only examine and analyze what is strictly needed in order to assess the full extent of a threat that's been identified. Furthermore, the smallest possible group of people will conduct such investigations. And they will not communicate any findings relating to individual user actions other than those strictly relevant to the investigation they are performing. Our goal to to limit risk and damage, and to protect the campus from the normal threats that all networked computing environments are subject to.
Ultimately, in any given case, we want to reach a point where we understand the scope of what has occurred:
...
our risk.
- How immediate is the threat?
- Is the threat potential, or are we looking at an actual breach?
- If the threat is potential only, what is its CVS score?
- What is the actual (and potential) financial risk to the college?
- Who is affected?
- A single person or device
- A few people or devices
- A large number of people or devices, possibly the entire college
- B) What's the criticality?
- 1. CVS score as assigned by outside agencies
- 2. Risk to the individual
- 3. Risk to several individuals
- 4. Risk to the College
C) Who's involved in the response?
1. Helpdesk staff
2. Desktop experts (Troy, Reb, Sande)
3. Sysadmins
4. ITS leadership
5. Campus leadership
presents some risk to the college such as loss of productive work time, exfiltration of sensitive information, or
monitoring, prevention, and mitigation task.
Monitoring is
2017 in particular was a bad year for for cybersecurity. In the wake of highly publicized breaches like the Equifax hack, new vulnerabilities like Spectre and Meltdown, and widespread ransomware attacks, many Carleton users have asked what all ITS is doing--in particular how we stay aware of what is happening on our network and help keep users as safe as reasonably possible.
The purpose of this page is to summarize the basics of what we are doing and give users, and internal ITS staff, a clearer sense of what we do (and don't) know about the security status of our network, and what we can and can't find out. Not all of the links provided here lead to user-visible pages. Some contain sensitive information. If you have questions, call the Helpdesk (x5999) or talk to the campus IT security officer.
...
Mitigation
Once affected people and systems have been assessed, ITS will assign appropriate resources, which may include
- Helpdesk staff
- Desktop experts
- Systems or application administrators
- ITS leadership
- Campus leadership
- External parties (law enforcement, forensics experts, auditors)
Action we may take to mitigate vulnerabilities and breaches may take a variety of forms, such as
- Temporarily locking a user's account, to limit damage to their personal information and resources
- Locking one or more accounts to prevent damage from spreading to new accounts or devices
- Taking one or more devices physically (or virtually, via software) off the network, to prevent intrusion
- Requestion that a user, or set of similar users, update software, in order to secure a device they are responsible for
Richard Goerwitz
January 2018
...
...