Educause Security Discussion mailing list archives
Re: Releasing details
From: Eric Jernigan <eric.jernigan () PCC EDU>
Date: Wed, 23 Jan 2008 12:07:17 -0800
Cases like these present a risky situation to your team. They involve problems that look solvable by a campus IT Security team. Assuming the team has more than enough resources to solve the technical issue (training, efficient logging, an accurate IP address from someone not bright enough to go through a TOR proxy or a compromised machine -AKA botnet machine,) it still leaves you in the situation of doing investigative work which is outside of the charter of IT Security. The only exception is if they are part of the Campus Police/Public Safety. Investigation is a law enforcement function. Even if your team does the right things and answer Joan's question, the risk of tainting evidence is probable. Even if you avoid that, what happens if you give Joan the contact information? What can she do that won't point back to having to retrace the entire investigation again for the authorities. In a worst case scenario, what happens if when Joan says "take action" she means hacking back the offender, or worse blowback-action (semi-auto handgun)? It's our duty (IMO) to assume Joan is truthful to the best of her knowledge. Only when following up with her reveals otherwise should you eliminate her complaint as being credible. With that in mind, this is a serious complaint. In 1997 the laws didn't take these situations seriously ("See, Johnny's learning computers."). Now, it's a different world; John Doe (no relation.) has the risk of jail time now for maliciously altering Joan's account. Law enforcement must be involved. Because of these reasons, law enforcement at a minimum need to be advised (and the contact documented) in any of these situations. If your department is still one of the technology resistant- "computers- phooey! Elliot Nest didn't have one.", you need to inform them anyway and ask them to coordinate contact with the next level of support. Helpful or not, the Campus Police/Public Safety need to be in the loop. Hope this helps. Eric Jernigan Information Security Manager, Technology Solution Services Portland Community College PO Box 19000 Portland OR 97280-0990 503-977-4896 Eric.jernigan () pcc edu "INFORMATION IS POWER" ________________________________________ NOTICE: This email message is for the sole use of the intended recipient(s) and may contain confidential or privileged information as well as information covered by the Privacy Act, FERPA, HIPAA, and/or other laws. Any unauthorized review, use, disclosure or distribution is prohibited unless permission is obtained from the original sender. ________________________________________ _____ From: Theresa Rowe [mailto:rowe () OAKLAND EDU] Sent: Tuesday, January 22, 2008 1:32 PM Subject: Releasing details We sometimes get requests from student and staff that read something like the following: "Joan Doe called the Help Desk asking for if we could trace an IP address of a computer that sent an email from her account on January 19 sometime around 3:30 AM. She said that someone had hacked into her email account and deleted some messages as well as sent some. She has since then changed her password but is now looking to take action on the person that sent it." Do you have protocols on how you handle such an incident? In most of these cases, the logins look authentic - i.e., the real ID and password were used. -- Theresa Rowe Chief Information Officer rowe () oakland edu Oakland University
Current thread:
- Releasing details Theresa Rowe (Jan 22)
- <Possible follow-ups>
- Re: Releasing details Bristol, Gary L. (Jan 22)
- Re: Releasing details Willis Marti (Jan 22)
- Re: Releasing details Gary Dobbins (Jan 22)
- Re: Releasing details Roger Safian (Jan 22)
- Re: Releasing details Joel Rosenblatt (Jan 22)
- Re: Releasing details Chad McDonald (Jan 23)
- Re: Releasing details David, Elaine (Jan 23)
- Re: Releasing details Sherry, Cathy (Jan 23)
- Re: Releasing details Eric Jernigan (Jan 23)
- Re: Releasing details Willis Marti (Jan 23)