Re: Releasing details

[Eric Jernigan <eric.jernigan () PCC EDU>]

Cases like these present a risky situation to your team. They involve
problems that look solvable by a campus IT Security team. Assuming the team
has more than enough resources to solve the technical issue (training,
efficient logging, an accurate IP address from someone not bright enough to
go through a TOR proxy or a compromised machine -AKA botnet machine,) it
still leaves you in the situation of doing investigative work which is
outside of the charter of IT Security. The only exception is if they are
part of the Campus Police/Public Safety. Investigation is a law enforcement
function. Even if your team does the right things and answer Joan's
question, the risk of tainting evidence is probable. Even if you avoid that,
what happens if you give Joan the contact information? What can she do that
won't point back to having to retrace the entire investigation again for the
authorities. In a worst case scenario, what happens if when Joan says "take
action" she means hacking back the offender, or worse blowback-action
(semi-auto handgun)?



It's our duty (IMO) to assume Joan is truthful to the best of her knowledge.
Only when following up with her reveals otherwise should you eliminate her
complaint as being credible. With that in mind, this is a serious complaint.
In 1997 the laws didn't take these situations seriously ("See, Johnny's
learning computers."). Now, it's a different world; John Doe (no relation.)
has the risk of jail time now for maliciously altering Joan's account. Law
enforcement must be involved.



Because of these reasons, law enforcement at a minimum need to be advised
(and the contact documented) in any of these situations. If your department
is still one of the technology resistant- "computers- phooey! Elliot Nest
didn't have one.", you need to inform them anyway and ask them to coordinate
contact with the next level of support. Helpful or not, the Campus
Police/Public Safety need to be in the loop.



Hope this helps.



Eric Jernigan

Information Security Manager,

Technology Solution Services

Portland Community College

PO Box 19000

Portland OR 97280-0990

503-977-4896

Eric.jernigan () pcc edu



"INFORMATION IS POWER"

________________________________________

NOTICE: This email message is for the sole use of the intended recipient(s)
and may contain confidential or privileged information as well as
information covered by the Privacy Act, FERPA, HIPAA, and/or other laws. Any
unauthorized review, use, disclosure or distribution is prohibited unless
permission is obtained from the original sender.

________________________________________



  _____

From: Theresa Rowe [mailto:rowe () OAKLAND EDU]
Sent: Tuesday, January 22, 2008 1:32 PM
Subject: Releasing details



We sometimes get requests from student and staff that read something like
the following:

"Joan Doe called the Help Desk asking for if we could trace an IP address of
a
computer that sent an email from her account on January 19 sometime around
3:30 AM.
She said that someone had hacked into her email account and deleted some
messages as well as sent some. She has since then changed her password but
is now
looking to take action on the person that sent it."

Do you have protocols on how you handle such an incident?  In most of these
cases, the logins look authentic - i.e., the real ID and password were used.



--
Theresa Rowe
Chief Information Officer
rowe () oakland edu
Oakland University