CSUSB Containment Guidelines CSUSB, Information Security Office

Transcription

1 CSUSB, Infrmatin Security Office Last Revised: 01/30/2013 Final

2 REVISION CONTROL Dcument Title: Authr: File Reference: CSUSB Cntainment Guidelines Javier Trner Date By Actin Pages 03/30/05 J Trner Created Guidelines All 07/25/05 J Trner Added Evidence Preservatin 08/11/05 J Trner Added Incident Handling 10/30/06 J Macdnell Added Incident Cntainment Prcedure 08/01/07 J Macdnell Added Incident Interview Review/Apprval Histry Date By Actin Pages All - 2 -

3 1.0 Incident Ntificatin... 4 Individual Ntificatin f Incidents... 4 Ntificatin f Incidents - Multiple systems... 4 Escalatin Security Event Ntificatin Template Evidence Preservatin Evidence Preservatin Template Incident Cntainment Prcedure Chain f Custdy Dcument

4 1.0 Incident Ntificatin The fllwing are general guidelines when sending ntificatin fr security incidents t the wners r custdians f cmputer r infrmatin systems. Hwever, when security incidents invlve vilatins f state r federal laws, CSU r CSUSB plicies, ntificatins must adhere t the prcedures utline in the crrespnding CSU r CSUSB plicy. If in dubt abut the nature f the incident cntact the University Infrmatin Security Officer. An template fr incident ntificatin can be fund in the IncidentNtificatinTemplate dcument. Individual Ntificatin f Incidents Individual ntificatins are t be used fr thse systems which belng t a department r are under the care f an identified grup n campus. The ntificatin must include the fllwing infrmatin: Identificatin f the system in questin, such as IP-address, MAC address, prt number, lcatin, etc verifiable evidence in the frm f an excerpt f a lg file actin taken, if any be sent t the technician f recrd must be cpied t the immediate supervisr/manager/department chair must include apprpriate instructins in case the system in questin cntains r is used t access persnal infrmatin must be cc t [email protected] shuld include a digital signature Ntificatin f Incidents - Multiple systems Ntificatin f incidents when there are multiple systems under the care f different grups n campus can be sent t the technician listserv ([email protected]) fr prmpt actin. The ntificatin must include the fllwing infrmatin: Identificatin f the systems in questin, such as IP-addresses, MAC addresses, prt numbers, lcatins, etc verifiable evidence in the frm f an excerpt f a lg file actin taken, if any must be sent t [email protected] must be cpied t the help desk at [email protected] must include apprpriate instructins in case the system in questin cntains r is used t access persnal infrmatin must be cc t [email protected] shuld include a digital signature Escalatin In the event that n respnse is received within a reasnable amunt f time (typically ne business day) t an incident ntificatin then a secnd ntificatin must be sent and cpied t the supervisr's supervisr. A third ntice is sent directly t senir management with cpies t technicians and direct supervisrs

5 2.0 Security Event Ntificatin Template Belw is the recmmended template fr ntifying wners and administratrs f cmputer incidents invlving cmputer systems under their cntrl. This template is intended t help t preserve evidence shuld it becme necessary t cmply with CA Civil Cde 1798 (frmally SB1386). The must be sent accrding t the guidelines described in the IncidentNtificatin guidelines. Edit the text in brackets t fit the crrespnding infrmatin fr the incident. Subject: [SECURITY] Suspicius activity - << cmputer r IP >> Frm: James Macdnell <[email protected]> CC: Infrmatin Security Office <[email protected]> This is an incident ntificatin fr the fllwing cmputer: xxx.yyy << mac address >> << rm # >> This cmputer appears t be infected with ne r mre Malware: Latest Event Cunt Signature :15:08 2 Outdated Windws Flash Versin IE :15:41 1 pamdql/sweet Orange /in.php?q= Hstile landing :15:48 1 Redkit Explit Kit 3Char PDF Request :15:52 2 Vulnerable Java Versin 1.6.x Detected :15:53 2 RedKit Explit Kit Java Request t Recent jar :15:53 2 RedKit - Jar File Naming Algrithm :15:54 1 RedKit - Paylad Requested - /2Digit.html :15:55 7 RedKit - Ptential Java Explit Requested :15:58 1 Maxmind geip check t /app/geip.js :16:20 1 TROJAN Dwnlader HTTP Library seen with ZeuS :16:20 1 Windws 98 User-Agent Detected :18:13 2 TROJAN System Detectin FakeAV (INTEL) This cmputer shuld be examined and may need t be discnnected frm the netwrk. If any cmputer system suspected f cmprmise is knwn t cntain r access persnal infrmatin (such as a cmbinatin f full name and any f the fllwing: scial security number, date f birth, medical infrmatin, financial infrmatin) YOU MUST NOTIFY the Infrmatin Security Office and prevent any further access t the cmputer. A cncern f any cmputer attack is the cmpliance with Civil Cde Sectins and (frmally SB- 1386) which require ntifying individuals whse persnal infrmatin may have been cmprmised. Please keep us infrmed f the status f this system. If yu have any questins r cncerns, please d nt hesitate t reply t this . We lk frward t yur reply. Lgs available upn request

6 3.0 Evidence Preservatin The fllwing are the guidelines fllwed by the Infrmatin Security Office fr preserving evidence which may have been cllected r prvided as part f an investigatin. In all cases the physical evidence will be prtected t maintain its integrity during its cllectin, during the prcess t prduce a frensic image, and during its strage while it is under the custdy f the Infrmatin Security Office. Physical evidence as well as the results f a cmputer frensic analysis will nt be released t anyne withut the written authrizatin f the University Prvst r its designee, r the university legal cunsel, after the cnclusin f an investigatin. The physical evidence as well as the results f the cmputer frensic analysis will be preserved as fllws: In thse instances that an investigatin invlves CSUSB persnnel, r invlves any pssible legal actin, the physical evidence and cmputer frensic analysis results will be preserved fr n less than 7 years frm the date the evidence was cllected. Otherwise the physical evidence and assciated results f the cmputer frensic analysis will be preserved fr n less than ne year frm the date the evidence was cllected. The physical evidence may be released upn request at the cmpletin f an investigatin. The infrmatin Security Office will nt clean, delete, r destry any infrmatin residing n any cllected r prvided evidence, except in extreme circumstances by a written request and at the discretin f the Infrmatin Security Officer. 4.0 Evidence Preservatin Template An template t use in cases where cllectin f the hard drive (r cmputer itself) is anticipated r cmpulsry: T: Example Tech <example [email protected]> Cc: Example Supervisr <example [email protected]> Subject: [SECURITY] Preservatin f evidence (IRN: _01) This is an evidence cllectin request fr the fllwing cmputer: (hackedbx.csusb.edu) {{LOGS OR OTHER EVIDENCE}} This cmputer needs t be physically secured. Fllw the D.U.S.T. prcedure: D) Physically DISCONNECT the cmputer frm the netwrk. U) UNPLUG the pwer D nt use standard shutdwn prcedure D nt attempt t lgin - 6 -

7 D nt attempt t find any infrmatin. Any f these actins can destry valuable trace evidence. S) Mve the cmputer t a SECURE lcatin An ccupied/lcked manager's ffice An ccupied/lcked cmputer wrkshp T) TELL us and arrange fr evidence cllectin. When the Infrmatin Security Office receives infrmatin that a cmputer appears t be cmprmised (e.g. by a virus r wrm), ur standard prcedure is t cnfirm the infrmatin, ntify the technicians assigned t the VLAN, and als t ntify an apprpriate MPP. As with any cmputer cmprmise, there is a ptential liability t the University. This is why a manager is ntified in additin t a technician. Under Califrnia law (Califrnia Civil Cde 1798), the University is bligated t ntify anyne whse persnally identifiable infrmatin (such as scial security numbers and financial accunt infrmatin) is reasnably believed t have been disclsed t an unauthrized third party. As part f the University's incident handling prcedures, ur ffice will wrk t preserve evidence t prtect the liability f the University and t meet ur bligatins under state and federal law. The preservatin f evidence ften requires the cllectin f the cmprmised cmputer's hard drive. This makes the cmprmised cmputer unusable fr at least a few days (the time necessary t create a frensic image f the hard drive) and perhaps up t seven years. When the hard drive (r cmputer itself) is cllected, managers are respnsible fr crdinating their cllege/divisin/department disaster recvery and business resumptins plans s the cmputer's user can regain prductivity. Als, if during the curse f an investigatin, evidence is discvered that indicates that persnally identifiable infrmatin was indeed disclsed withut authrizatin, the manager will becme invlved in the decisin and prcess t send ntificatins as required by law. That said, mst virus and wrm infectins n campus d nt escalate t the pint where ntificatins are required. The cllectin f evidence is mst ften simply a preventive measure t prtect the University frm future liability r lawsuits. If yu have any questins, please let us knw. We lk frward t yur reply. Additinal lgs available upn request

8 5.0 Incident Cntainment Prcedure - 8 -

9 6.0 Chain f Custdy Dcument NOTICE: The Infrmatin Security Office des nt attempt t mdify r remve files frm a cmputer system since these systems may cntain infrmatin f imprtance t the wner. Fr this reasn, the respnsibility t repair r remve files is left t the respective cllege/department cmputer technician. IRN: System Name: Department: Lcatin: Item(s): Received frm: Name Signature Date/Time Received by: Name Signature Date/Time Reasn fr change f custdy: hld fr pssible litigatin - 9 -