Educause Security Discussion mailing list archives
Re: Incedent Response and Forensics
From: "Walther, Benjamin J." <Benjamin.Walther () TUFTS EDU>
Date: Thu, 21 Mar 2013 17:44:25 +0000
In order to mitigate the high work load in detecting PII, we refer to the "4 Questions<https://it.tufts.edu/sec-response>" business process. We ask the relevant Information (aka Data) Steward, support provider, user and manager. If they all confirm that there's little-to-no chance of compromised University related PII, we do not collect the device or disk for forensic investigation. When the majority of reported infections are on lab machines, personal computers, or kiosks, we find that a censuses is sufficiently accurate. We double-check managed machines running IdentityFinder, and sure enough the most we find on 'low risk' compromised computers are a user's personal tax returns. We warn users of compromised machines that malware commonly gather credentials and reset their institutional password(s). We then re-image the devices without making a copy. Ben Walther Tufts Information Security Operations (617) 627-2640 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Shamblin, Quinn Sent: Thursday, March 21, 2013 12:27 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Incedent Response and Forensics We have a similar policy here at BU Quinn R Shamblin ------------------------------------------------------------------------------------- Executive Director of Information Security, Boston University CISM, CISSP, GCFA, PMP - O 617-358-6310 M 617-999-7523 Contact me securely: https://securecontact.me/qrs () bu edu From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Josh Flaherty Sent: Thursday, March 21, 2013 12:19 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Incedent Response and Forensics Greetings, It is our policy that whenever we are notified by an external entity that one of our machines is compromised we initiate a process which involves collecting the machine, taking an image, scanning for PII and if PII is found performing a forensics investigation. The problem is that we have had so many come in the recent months that our forensics staff cannot keep up. My question is, do others have a similar policy for external compromise notifications or do any of you just remediate the machine and move on? Thank You, -Josh Flaherty Information Security Officer Indiana State University
Current thread:
- Incedent Response and Forensics Josh Flaherty (Mar 21)
- Re: Incedent Response and Forensics Shamblin, Quinn (Mar 21)
- Re: Incedent Response and Forensics Walther, Benjamin J. (Mar 21)
- Re: Incedent Response and Forensics Roger A Safian (Mar 21)
- Re: Incedent Response and Forensics Shamblin, Quinn (Mar 21)