Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Compromised account procedures

From: Jason Cash <cash () UDEL EDU>
Date: Thu, 10 Mar 2016 21:09:55 -0500
Anthony,

  This list is public,  I humbly suggest you try this question on a ren-isac list.

Regards,
Jason



On Mar 10, 2016, at 7:29 PM, Pfaff, Anthony W <anthony.pfaff () UCDENVER EDU> wrote:

Hello all,
 
I am curious as to what process the various institutions use when it is noticed that an IT account has been 
compromised.  Our campuses have been the subject of an aggressive phishing campaign, and despite our best education 
efforts, faculty, staff, and students continue to type their credentials into attacker sites.  Our typical practice 
is to immediately lock out the attacker (as well as the account holder) to prevent the attacker from accessing any 
personal data or services that the original account holder is privy to, and I’d like to get a better sense of what 
others out there do.
 
Specific questions:
1)      Does your institution’s security team have the ability and authority to unilaterally disable an account they 
suspect is compromised?
2)      Before returning an account to the account owner, what sort of education steps do you take?
3)      Before returning an account to the account owner, how do you validate that the attacker has no continued 
access (e.g., delegated mailbox permissions, forwarding)?  Whose responsibility is it to check that there is no 
“backdoor” back into the account in the various systems your institution uses?
4)      What steps do you take to identify what data an attacker might have accessed?
5)      Does your institution have a specific policy and procedure documented for this type of situation?
 
Likewise, I am curious what any Office 365 customers out there do.  Specifically:
6)      Have you received notices directly from Microsoft indicating an account is sending spam?  Do you take these 
at face value an immediately disable the account?
7)      When deciding that an account should be disabled, what do you do to immediately prevent a compromised account 
from accessing services both in the cloud and on-prem?
 
Thanks,
 
Anthony Pfaff | Lead IdM Software Engineer
Middleware and Identity Management
303-315-0057 | anthony.pfaff () ucdenver edu
<image001.jpg>
Previous By Date Next
Previous By Thread Next

Current thread: