Security Incident Response Procedure (Work in Progress)
The purpose of this document is to outline ITS's general approach to dealing with security incidents relating to, or affecting, Carleton's network and computing environment. It is not intended as a comprehensive framework (along the lines of ISO/IEC 27035) but rather as a way of offering insight into how ITS is working to protect the campus–and to open the floor to additional discussion.
Motivation
Maintaining Carleton's network and overall computing environment has become, increasingly, a cybersecurity challenge. 2017, in particular, was a bad year for for cybersecurity. 2017 saw a number of highly publicized breaches, like the Equifax hack, as well as new vulnerabilities on computer processors (Spectre and Meltdown), and the rise of ransomware. In response to these security challenges, ITS has taken steps to improve our ability to monitor our network, detect anomalies, and mitigate vulnerabilities (or outright compromises) when discovered.
This document is concerned, in particular, with mitigation, that is, with ITS's response when a vulnerability or compromise has been discovered.
By "vulnerability" we mean an operating state that could allow malicious actors to perform unauthorized actions, for example, an unpatched/un-updated Windows desktop that could be subverted and used as platform for bitcoin mining, spamming, or monitoring of other network traffic to facilitate additional unauthorized actions. By "compromise" we mean an actual breach, that is, a circumvention of our normal operations by a malicious party that presents an immediate reputational and/or financial risk to the college.
A breach could be something as minor as, for example, the theft of user credentials, allowing unauthorized parties to assume the identity of a Carleton user. A breach could also be something as significant as exfiltration of a large amount of sensitive data, or outright theft/ransom of an entire administrative database.
Detection
Detection of anomalous or unauthorized activity in Carleton's computing environment that presents either a reputational or financial risk to the college may come to ITS through a variety of channels, including
- User reports
- Automated alerts
- Semi-automated scanning (for example, when we have reason to suspect a problem exists)
- Analysis of log data by security staff
Risk Assessment
Once a problem has been identified, we assess. Assessment may involve conversations with users, deep analysis of log data, and identification and forensic investigation of affected systems. In complex cases, we may engage third parties, for example, cybersecurity firms with expertise in the area where we've experienced a compromise.
Ultimately, we want to reach a point where we understand the scope of what has occurred:
- Who's affected
- A single person or device
- A few people or devices
- A large number of people or devices, possibly the entire college
- B) What's the criticality?
- 1. CVS score as assigned by outside agencies
- 2. Risk to the individual
- 3. Risk to several individuals
- 4. Risk to the College
C) Who's involved in the response?
1. Helpdesk staff
2. Desktop experts (Troy, Reb, Sande)
3. Sysadmins
4. ITS leadership
5. Campus leadership
presents some risk to the college such as loss of productive work time, exfiltration of sensitive information, or
monitoring, prevention, and mitigation task.
Monitoring is
2017 in particular was a bad year for for cybersecurity. In the wake of highly publicized breaches like the Equifax hack, new vulnerabilities like Spectre and Meltdown, and widespread ransomware attacks, many Carleton users have asked what all ITS is doing--in particular how we stay aware of what is happening on our network and help keep users as safe as reasonably possible.
The purpose of this page is to summarize the basics of what we are doing and give users, and internal ITS staff, a clearer sense of what we do (and don't) know about the security status of our network, and what we can and can't find out. Not all of the links provided here lead to user-visible pages. Some contain sensitive information. If you have questions, call the Helpdesk (x5999) or talk to the campus IT security officer.
Please note: In general, ITS does not track intimate details of what individual users are doing. Rather, we log and track normal activity in aggregate, and respond to things like exceptional activity spikes, indications of compromise, and malware. We look in detail at individual activity only to the extent needed to respond appropriately. (For example, ITS may respond to an alert that a user has logged in simultaneously from two different countries.) We may also take actions like notifying a user if it appears that their account has been compromised and, rarely, locking their account temporarily, to try to limit damage to the user's information and resources.