Educause Security Discussion mailing list archives
Compromised account procedures
From: "Pfaff, Anthony W" <anthony.pfaff () UCDENVER EDU>
Date: Fri, 11 Mar 2016 00:29:13 +0000
Hello all, I am curious as to what process the various institutions use when it is noticed that an IT account has been compromised. Our campuses have been the subject of an aggressive phishing campaign, and despite our best education efforts, faculty, staff, and students continue to type their credentials into attacker sites. Our typical practice is to immediately lock out the attacker (as well as the account holder) to prevent the attacker from accessing any personal data or services that the original account holder is privy to, and I'd like to get a better sense of what others out there do. Specific questions: 1) Does your institution's security team have the ability and authority to unilaterally disable an account they suspect is compromised? 2) Before returning an account to the account owner, what sort of education steps do you take? 3) Before returning an account to the account owner, how do you validate that the attacker has no continued access (e.g., delegated mailbox permissions, forwarding)? Whose responsibility is it to check that there is no "backdoor" back into the account in the various systems your institution uses? 4) What steps do you take to identify what data an attacker might have accessed? 5) Does your institution have a specific policy and procedure documented for this type of situation? Likewise, I am curious what any Office 365 customers out there do. Specifically: 6) Have you received notices directly from Microsoft indicating an account is sending spam? Do you take these at face value an immediately disable the account? 7) When deciding that an account should be disabled, what do you do to immediately prevent a compromised account from accessing services both in the cloud and on-prem? Thanks, Anthony Pfaff | Lead IdM Software Engineer Middleware and Identity Management 303-315-0057 | anthony.pfaff () ucdenver edu<mailto:anthony.pfaff () ucdenver edu> [oit_h_clr]
Current thread:
- Compromised account procedures Pfaff, Anthony W (Mar 10)
- Re: Compromised account procedures Jason Cash (Mar 10)