Jon Giltner from Colorado notes that they respond to about 50 incidents per week. They have a formal documented process established in 2004 that requires notification and involvement of central IT. They use the CERIAS open response database for tracking.
If the incident involves compromise of PII they form a team and mandate independent forensics with a third party company that takes the machine and does the forensics. The team’s primary role is to handle communications – notification to affected individuals (via US postal mail using); any press release, etc.
Who’s involved? Legal Counsel, compromised department head; IT security coordinator; tech lead from dept; campus police; university communications; university privacy officer; university officer with oversight for compromised departments.
They take pains not to point the finger too quickly at the local IT admin – they’re usually overworked, underfunded, and not always properly trained.
There follows some discussion of some specific incidents at some our institutions, and lessons learned.
In one incident a visiting researcher from another institution had a file obtained from the state that contained names and SSNs. The researcher put a laptop containing that information on the campus network despite not meeting campus minimum standards for up-to-date patching and OS levels, and sure enough it was compromised.
The issue of who ends up paying the bill for notification of the people whose information was compromised may well end up in court.
This institution has very good policies about security – but that doesn’t really make much difference as what they have is massive non-compliance across the campus. And that’s not just because people don’t know about the policies. It takes massive culture change, and the top leadership of the institution is now very concerned about it. They have an online security tutorial, and the cabinet has now approved a requirement that everyone complete this tutorial.
They are now doing proactive scans of machines on the network, using a product from MacAfee.
A CIO is describing another incident where a machine containing personal and financial information in a department was compromised. Again, this was an incident where the information was being gathered in violation of institutional policy.
What lessons were learned?
- funding security matters, and it’s difficult to obtain on an ongoing basis.
- distributed computing environments are difficult to secure, due to social factors, not technical. In this instance the time-to-market for a web site took precedence over a known security hole.
- the institution had no list of where sensitive data is stored – how can you do a risk assessment?
- patch management and antivirus installation is ad-hoc – who’s responsible? Often it’s students bringing up servers, and they don’t always have a clue about securing the machines.
- How do we help system administrators respond responsibly to unreasonable demands from their management?
- Central IT is frequently aware of compromises in departments before the department itself.
- Unpatched web servers are often a vector for compromises