CAH Security Incident Response Ways that a virus can be discovered 1. Security Incident Response Team notification 2. User/Technician notification 3. SCCM Endpoint notification Identification and removal of a suspected workstation 1. Identification of workstation - user, location, and any associated information that can help identify it. Examples: service tag, CAH tag, mac address, CAH workstation name. 2. Locate and remove from power and network so that it is isolated. 3. Relocate to CAHIT support team – Notify IT liaison, chair and primary end user of infection and removal. Forensics and diagnostics 1. Create image of compromised workstation to the CAH Anti-virus station. 2. Assess the threat a. Determine if this is a suspected criminal incident. If so, hand off to SIRT immediately. Suspected criminal activity includes documents of child pornography, theft, espionage or physical abuse. b. Run virus scan with updated endpoint files (Manually download latest definition files if necessary. c. Check logs - Endpoint logs, client logs d. Run secondary scan with software like Malwarebytes. 3. Document all infections. 4. Determine how or when it was compromised. 5. Determine if local or network files were compromised. 6. Determine all users that have logged into the infected workstation. 7. Compile a preliminary report. Notification of compromise 1. Notify, via e-mail, department chair, IT liaison, technicians involved in compromise, and the IT manager with the preliminary report and an estimate on how long workstation will be out of service. 2. Notify SIRT (sirt@ucf.edu) if compromise is a network level threat or involves compromised data. a. Fill-out SIRT response form and report when SIRT requests (http://www.cst.ucf.edu/wpcontent/uploads/2013/08/Information_Security_Incident_Reporting_Form.pdf) 3. Notify chair and IT liaison via e-mail of other users that have logged into the workstation with instructions on changing passwords. Closing steps 1. Resolve compromised workstation incident. a. Restore data to anti-virus workstation and scan with available malware detection programs. NOTE: No compromised user files with executable or library extensions from compromised workstations will be restored. b. Secure wipe the workstation, rebuild, restore data from the anti-virus workstation, and return to department. c. Notify all involved parties of the resolution and schedule a return and setup. 2. Education and follow-up a. Write a follow-up e-mail to primary affected user, chair, IT liaison, technicians and manager detailing the known compromise and suspected activity that caused the compromise. CAH SECURITY INCIDENT RESPONSE | REV 05/28/2014