Educause Security Discussion mailing list archives
Re: Compromised Accounts Procedures
From: "Tonkin, Derek K." <Derek_Tonkin () BAYLOR EDU>
Date: Wed, 23 May 2012 18:04:14 +0000
I guess my situation is kind of different (or I'm misinterpreting what you're asking) in that I'm looking for what information to gather/maintain when we confirm a compromised account from the point of discovery to the point of re-enabling or removing the account. What data is meaningful to gather for the dual purposes of record-keeping and establishing trends/metrics. -------------Baylor University------------- Derek Tonkin Information Security Analyst Information Technology Services - Security derek_tonkin () baylor edu<mailto:derek_tonkin () baylor edu> 254-710-7061 ---------------Sic 'em Bears--------------- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Robert Meyers Sent: Wednesday, May 23, 2012 12:51 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Compromised Accounts Procedures I'm trying to address compromised accounts, and not compromised machines. While the two are often coupled, we are trying to address the specific concern of codifying responses to reports from users that account credentials appear to have been hacked, hijacked, stolen, etc. Thanks to all for the discussion. Bob Robert E. Meyers, Ms.Ed. Manager, Security Awareness Information Security Services West Virginia University office: (304) 293-8502 remeyers () mail wvu edu<mailto:remeyers () mail wvu edu>
On Wednesday, May 23, 2012 at 1:41 PM, Aaron Kirby <akirbyco () GMAIL COM<mailto:akirbyco () GMAIL COM>> wrote:
Good point. I would say that the compromised account could be a result of a compromised machine so it would seem to make sense not to decouple the process. On Wed, May 23, 2012 at 1:33 PM, Jacobson, Dick <dick.jacobson () ndus edu<mailto:dick.jacobson () ndus edu>> wrote:
Might be a fine line but isn't a compromised account different than a compromised machine ? And probably necessitate a different remediation procedure ? -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU]<mailto:[mailto:SECURITY () LISTSERV EDUCAUSE EDU]> On Behalf Of Aaron Kirby Sent: Wednesday, May 23, 2012 12:22 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Compromised Accounts Procedures You could take a look at how Google is handling the DNS changer infections. http://krebsonsecurity.com/2012/05/google-to-warn-500000-of-dns-changer-infections/ On Wed, May 23, 2012 at 1:10 PM, Tonkin, Derek K. <Derek_Tonkin () baylor edu<mailto:Derek_Tonkin () baylor edu>> wrote:I'm looking into doing this as well so I'd be interested in any templates others have developed as a jumping off point. -------------Baylor University------------- Derek Tonkin Information Security Analyst Information Technology Services - Security derek_tonkin () baylor edu<mailto:derek_tonkin () baylor edu> 254-710-7061 ---------------Sic 'em Bears--------------- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU]<mailto:[mailto:SECURITY () LISTSERV EDUCAUSE EDU]> On Behalf Of Robert Meyers Sent: Wednesday, May 23, 2012 11:29 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Compromised Accounts Procedures Does anyone have a documented process, guidelines, or procedures taken when a user reports a compromised account? We are looking to create such documentation in order to establish consistency in our trouble ticket handling of such cases. Thanks in advance! Bob Robert E. Meyers, Ms.Ed. Manager, Security Awareness Information Security Services West Virginia University office: (304) 293-8502 remeyers () mail wvu edu<mailto:remeyers () mail wvu edu>
Current thread:
- Re: IPv6 and DHCP, (continued)
- Re: IPv6 and DHCP John Ladwig (May 10)
- Re: IPv6 and DHCP Kern, Paul (May 10)
- Re: IPv6 and DHCP John Hoffoss (May 23)
- Re: IPv6 and DHCP Phillip Deneault (May 23)
- Compromised Accounts Procedures Robert Meyers (May 23)
- Re: Compromised Accounts Procedures Tonkin, Derek K. (May 23)
- Re: Compromised Accounts Procedures Aaron Kirby (May 23)
- Re: Compromised Accounts Procedures Jacobson, Dick (May 23)
- Re: Compromised Accounts Procedures Aaron Kirby (May 23)
- Re: Compromised Accounts Procedures Robert Meyers (May 23)
- Re: Compromised Accounts Procedures Tonkin, Derek K. (May 23)
- Re: Compromised Accounts Procedures Rich Graves (May 23)
- Re: Compromised Accounts Procedures Bidwell, Lesley (May 23)
- Re: Compromised Accounts Procedures Pollock, Joseph (May 23)
- Re: Compromised Accounts Procedures Matthew Hodgett (May 23)
- Re: IPv6 and DHCP John Ladwig (May 10)
- Re: Compromised Accounts Procedures Rick Lesniak (May 23)
- Re: Compromised Accounts Procedures Steven Tardy (May 24)
- Re: Compromised Accounts Procedures Schoenefeld, Keith P. (May 24)
- Re: IPv6 and DHCP randy marchany (May 23)
- Re: IPv6 and DHCP Mark Boolootian (May 23)
- Re: IPv6 and DHCP Rich Graves (May 23)