Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Compromised Accounts Procedures

From: Rich Graves <rgraves () CARLETON EDU>
Date: Wed, 23 May 2012 13:25:23 -0500
When I become aware of an account compromise, I (run a script to) disable the password and create a ticket (in 
WebHelpDesk.com) with a few custom fields, below. The user *must* go through the helpdesk because self-service 
challenge questions and SMS callbacks could be changed with password alone.

The "How Compromised?" question is required. We only started doing this a few months ago, so I don't know how useful 
the metrics are going to be. The other questions are optional, just to remind helpdeskers what to do.

  How Compromised?
  () Phishing  () Malware  () Disclosed to a "Friend" () Other (specify in notes) () Unknown

  Client has been told their password must be completely different than the original?
  () No  () Yes

  Instruct client to change password on:
    [] Handhelds
    [] Mail Clients
    [] Restart Workstation

Phishing accounts for the vast majority, but we have had a few passwords presumed disclosed by malware, and a case 
where a student was sharing their password to a parent, raising questions of online quiz integrity. Yes, we've seen 
several cases where password was phished, student resets their password to something that differs from the original by 
only one digit, repeat.
Previous By Date Next
Previous By Thread Next

Current thread: