Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Security Incident Response Procedure

...

The purpose of this document is to outline ITS's general approach to dealing with security incidents relating to, or affecting, Carleton's network and computing environment.  It is not intended as a comprehensive framework (along the lines of ISO/IEC 27035), but rather as a way of offering insight into how ITS is working to protect the campus–and to open the floor to additional discussion.a framework for helping clients understand what is happening, and a template we can follow internally in case of a security incident.

This document also outlines our response policy where personally identifiable or otherwise very sensitive information has been disclosed.

Table of Contents
minLevel2
outlinetrue

Motivation

Maintaining Carleton's network and overall computing environment has become, increasingly, a cybersecurity challenge.  2017, in particular, was a bad year for for cybersecurity.  2017 saw a number of highly publicized breaches, like the Equifax hack, as well as new vulnerabilities on computer processors (Spectre and Meltdown), and the rise of ransomware.  In response to these security challenges, ITS has taken steps to improve our ability to monitor our network, detect anomalies, and mitigate vulnerabilities (or outright compromises) when discovered.

This document is concerned, in particular, with mitigation, that is, with ITS's response when a vulnerability or compromise has been discovered.  There is also a detailed section outlining what actions we will take if we determine that personally identifiable or otherwise very sensitive information has been disclosed.

By "vulnerability" we mean an operating state that could allow malicious parties to perform unauthorized actions, for example, an unpatched/un-updated Windows desktop that could be subverted and used as platform for bitcoin mining, spamming, or monitoring of other network traffic to facilitate additional unauthorized actions.  By "compromise" we mean an actual breach, that is, a circumvention of our normal operations by a malicious party that presents an immediate reputational and/or financial risk to the college.

...

  • How immediate is the threat?
    • Is the threat potential (a "vulnerability"), or are we looking at an actual breach?
    • If the threat is potential, what is its CVS score?  How are other schools/businesses addressing the risk?  What actions do our software vendors recommend?
    • What is the actual (and potential) financial risk to the college?
  • Who is affected?
    • A single person or device?
    • A few people (like a small department) or small number of devices?
    • A large number of people or devices, possibly the entire college?
    • Internal or external users?

Mitigation

Once affected people and systems have been assessed, ITS will assign appropriate resources, which may include

  • Helpdesk staff
  • Desktop experts
  • Systems or application administrators
  • ITS leadership
  • Campus leadership
  • External parties (law enforcement, forensics experts, auditors); see below on PII disclosure response

Action we may take to mitigate vulnerabilities and breaches may take a variety of forms, such as

  • Temporarily locking a user's account, to limit damage to their personal information and resources
  • Locking multiple accounts to prevent damage from spreading to new accounts or devices
  • Taking one or more devices physically (or virtually, via software) off the network, to prevent intrusion
  • Removing unauthorized software ("malware")
  • Reimaging/rebuilding affected machines, resetting them to a "known good" state
  • Requesting that a user, or set of similar users, update software, in order to secure a device they are responsible for
  • See also PII disclosure response procedure below

Response in Case of Personally Identifiable Information (PII) Disclosure

When sensitive PII is involved, Carleton's response, once we have discovered a breach, is necessarily more formal.  ITS will:

  • Notify senior Carleton College executives, at minimum the President and Treasurer, and provide ongoing impact assessments
  • Notify law enforcement
  • Remove or isolate the affected system(s) from the network
  • Determine whether the system(s) should be shut down (doing this can wipe out evidence and should be avoided initially)
  • Refrain from accessing or altering compromised system(s) further, until appropriate forensics can be performed
  • Attempt to preserve all evidence, including SIEM and firewall logs, backups, snapshots, and other internal (OS) and external monitoring logs, without altering the system itself
  • Document everything we do, including dates, times, and individuals involved

With respect to notification, a number of laws will guide our response.

At the Minnesota state level, Minnesota Statute 325E.61 requires entities that conduct business in Minnesota, and that own or license personal information, to notify residents of Minnesota without unreasonable delay of any data breach that results or could result in the unauthorized acquisition of their unencrypted personal information.  Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.  If more than 500 individuals have to be notified of a breach, we must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC Section 1681a(p), within 48 hours.

At the US federal level, insofar as we maintain health data subject to HIPAA, we must notify affected parties of breaches.  Federal laws are evolving in this area and changing.

At the international level, the GDPR article 33 mandates that, “in the case of a personal data breach, data controllers shall without undue delay” notify the appropriate regulator of the breach. Article 33 goes on to state that, where feasible, this notification should take place no later than 72 hours after the breached party has become aware of the incident.

Persuant to these and other emerging regulations, Carleton will, in the event of a PII breach,

  • Set up a website relating to the incident
  • Send a notification email to affected parties outlining the breach, their risk, and next steps, as well as linking to the website
  • Send paper notifications to the same, where possible
  • In general, provide any information, mitigation, or remedies mandated by law and/or by senior officers of the college

Richard Goerwitz
January 2018

...