Educause Security Discussion mailing list archives
Re: Compromised Accounts Procedures
From: Matthew Hodgett <m.hodgett () QUT EDU AU>
Date: Thu, 24 May 2012 16:09:32 +1000
We have had a process in place for a while now. Basically, the steps are; . lock out the account and inform the helpdesk to expect a call . when the user calls the helpdesk an incident is logged . both the incident and the user are passed to the ITsec team . the user is interviewed. This is an opportunity for understanding how the account was compromised, profiling the users, as well as raising the users security awareness . the incident and user are then passed to a team that has the ability to unlock accounts and change passwords From this process we gather stats and this has helped develop detection methods and focus awareness campaigns. Matthew On 24/05/12 05:41, Pollock, Joseph wrote:
Our process is still evolving - this hasn't happened frequently. In the most recent case, we observed that the contents of the mailbox had been deleted and some rules set to delete incoming mail. I had a conversation with the user and said not only should the original password not be reused, it should be changed on any other account where it had been used (there may have been information concerning social networking accounts in the mailbox folders, etc.) The user reply was "You mean, like on my bank account?" Sigh... Joe Pollock Network Services The Evergreen State College -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bidwell, Lesley Sent: Wednesday, May 23, 2012 12:07 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Compromised Accounts Procedures We follow a similar process and also verify that no rules have been added to mail accounts to forward or delete messages. Lesley A. Bidwell Director of Networking and Telecommunications Services SUNY College at Oneonta 607 436 2628 Lesley.Bidwell () oneonta edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Rich Graves Sent: Wednesday, May 23, 2012 2:25 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Compromised Accounts Procedures
-- Matthew Hodgett, MInfTech, CISSP IT Security Engineer | Queensland University of Technology Phone: (07) 313 89454 | Fax: (07) 31382921 QUT Classifications, refer MOPP F/1.2.5 CRISCO No. 00213J ----DIGITAL SIGNATURE START---- A11I5BAD000769832858795AD56EC57E5C798A786E768DA87ED76F785EAFA7F577D ----END SIGNATURE----
Current thread:
- Compromised Accounts Procedures, (continued)
- Compromised Accounts Procedures Robert Meyers (May 23)
- Re: Compromised Accounts Procedures Tonkin, Derek K. (May 23)
- Re: Compromised Accounts Procedures Aaron Kirby (May 23)
- Re: Compromised Accounts Procedures Jacobson, Dick (May 23)
- Re: Compromised Accounts Procedures Aaron Kirby (May 23)
- Re: Compromised Accounts Procedures Robert Meyers (May 23)
- Re: Compromised Accounts Procedures Tonkin, Derek K. (May 23)
- Re: Compromised Accounts Procedures Rich Graves (May 23)
- Re: Compromised Accounts Procedures Bidwell, Lesley (May 23)
- Re: Compromised Accounts Procedures Pollock, Joseph (May 23)
- Re: Compromised Accounts Procedures Matthew Hodgett (May 23)
- Re: Compromised Accounts Procedures Rick Lesniak (May 23)
- Re: Compromised Accounts Procedures Steven Tardy (May 24)
- Re: Compromised Accounts Procedures Schoenefeld, Keith P. (May 24)
- Re: IPv6 and DHCP randy marchany (May 23)
- Re: IPv6 and DHCP Mark Boolootian (May 23)
- Re: IPv6 and DHCP Rich Graves (May 23)