Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Electrical Engineering
  3. Telecommunications

WORD version

advertisement 
CAH Security Incident Response
Ways that a virus can be discovered
1. Security Incident Response Team notification
2. User/Technician notification
3. SCCM Endpoint notification
Identification and removal of a suspected workstation
1. Identification of workstation - user, location, and any associated information that can help identify it. Examples:
service tag, CAH tag, mac address, CAH workstation name.
2. Locate and remove from power and network so that it is isolated.
3. Relocate to CAHIT support team – Notify IT liaison, chair and primary end user of infection and removal.
Forensics and diagnostics
1. Create image of compromised workstation to the CAH Anti-virus station.
2. Assess the threat
a. Determine if this is a suspected criminal incident. If so, hand off to SIRT immediately. Suspected criminal
activity includes documents of child pornography, theft, espionage or physical abuse.
b. Run virus scan with updated endpoint files (Manually download latest definition files if necessary.
c. Check logs - Endpoint logs, client logs
d. Run secondary scan with software like Malwarebytes.
3. Document all infections.
4. Determine how or when it was compromised.
5. Determine if local or network files were compromised.
6. Determine all users that have logged into the infected workstation.
7. Compile a preliminary report.
Notification of compromise
1. Notify, via e-mail, department chair, IT liaison, technicians involved in compromise, and the IT manager with the
preliminary report and an estimate on how long workstation will be out of service.
2. Notify SIRT (sirt@ucf.edu) if compromise is a network level threat or involves compromised data.
a. Fill-out SIRT response form and report when SIRT requests (http://www.cst.ucf.edu/wpcontent/uploads/2013/08/Information_Security_Incident_Reporting_Form.pdf)
3. Notify chair and IT liaison via e-mail of other users that have logged into the workstation with instructions on
changing passwords.
Closing steps
1. Resolve compromised workstation incident.
a. Restore data to anti-virus workstation and scan with available malware detection programs. NOTE: No
compromised user files with executable or library extensions from compromised workstations will be
restored.
b. Secure wipe the workstation, rebuild, restore data from the anti-virus workstation, and return to
department.
c. Notify all involved parties of the resolution and schedule a return and setup.
2. Education and follow-up
a. Write a follow-up e-mail to primary affected user, chair, IT liaison, technicians and manager detailing the
known compromise and suspected activity that caused the compromise.
CAH SECURITY INCIDENT RESPONSE | REV 05/28/2014
Related documents
Assembly Line Balancing
Assembly Line Balancing
The Office Procedures and Technology
The Office Procedures and Technology
AIC
AIC
Office Environments
Office Environments
Literacy Work Stations That Support Five Components of Reading
Literacy Work Stations That Support Five Components of Reading
Computer Lab Rules
Computer Lab Rules
Critically incident technique The Critical Incident Technique (or CIT
Critically incident technique The Critical Incident Technique (or CIT
CLASSROOM PROCEDURES - Clinton Public School District
CLASSROOM PROCEDURES - Clinton Public School District
Workstation self assessment for remote working
Workstation self assessment for remote working
ChemicalReactionsLab
ChemicalReactionsLab
Groups - Symantec
Groups - Symantec
Download
advertisement