Procedures for handling a computer system compromise incident

  1. Don't panic. Be as calm and methodical as you can, and think about your course of action.
  2. Do a quick assessment.  Do not immediately shut down the machine, as you may lose important information about the compromise . If the machine is being used to attack others, or if the attacker is actively using or damaging the machine, or if the system contains confidential or sensitive information, you may need to disconnect it from the network. If this does not appear to be the case, leave the system intact for the moment.
  3. Report the problem. Call the University IT Security Office (335-6332) and report the problem as soon as possible. We will execute an emergency system security scan if the computer is still connected to the network. This information will help you to assess the damage. (The machine must be up and on the network in order to run a scan.) Alternatively, you can contact the IT Security Office by sending an email message to security@uiowa.edu.  After regular business hours, call the ITS Help Desk at 384-HELP (4357) to have them page a contact in the IT Security Office, explain your situation to the consultant if available or follow the recorded emergency instructions to have them escalate it to the IT Security Office. 
  4. Gather all the relevant information you can find. It is highly recommended that you consult with IT Security before you start taking any direct action on the compromised machine.  Information to gather may include, but is not limited to, system logs, directory listings, electronic mail files, screen prints of error messages, and database activity logs. Copy them to a safe location (that will not be deleted or over-written), so that you and IT Security Office personnel can study them later.   We have facilities available for making forensically sound images of computers for analysis.
  5. Take notes. Record all relevant information, including things you observed, actions you took, dates and times, and the like. It is best to log your activities as they occur. Over time, your actions and the order in which they were executed will not be easily remembered.
  6. Decide on a course of action for repair.  IT Security Office personnel will help you determine the appropriate responses to recover from the incident.  If you feel physically threatened,  if system damage has occurred, or if theft of confidential data has occurred, you will probably need to report the incident to The Department of Public Safety, at 335-5022. They will advise you on legal aspects of the computer crime.  If there is no physical damage or threat, and confidential data is not involved, and you just want to "clean up" and move on, that is an option.  It is also an option to attempt to catch the culprit. The appropriateness of each course of action varies with the severity of the incident, (amount of damage, legal implications, type of data involved, cost of recovery, etc) and in the case of department-owned systems, the department policy.  The University IT Security Office will assist you in making a decision about the correct course of action,  and will provide advice about additional protections that can be applied to your system to prevent future problems.

Other steps you should take:

  1. Change account passwords. All system accounts that were involved with the incident should have new passwords. Exceptions to this rule are accounts which are authenticated with tokens or certificates, in which case the PIN or pass-phrase for them should be changed. Never share your password (pin, or pass-phrase) with anyone, for any reason. Choose a strong password and change it often.
  2. Change the status of accounts, if necessary. In the event that a system administrator detects a problem with a system, or user activity on a system, a quick way to stop the unwanted activity is to "close" an account, by restricting logins to it. This results in the account owner having to contact an administrator in order to remove the login restriction. This is not deleting the account, but is merely making the account temporarily unusable.
  3. Stop rogue service(s), if necessary. In the event that a system compromise or denial-of-service attack is underway, and you are unable to stop or kill the service(s), you may need to disconnect the machine from the network to get them stopped.
  4. Review your backup policies. If you believe your data and/or operating system has been compromised, you must ensure that a "clean" backup is available for restoration. If your next backup could overwrite an undamaged backup, take immediate steps to prevent that occurrance. If your policy includes multiple levels of backup, and you are uncertain how long the system has been compromised, you must determine which backup version to restore to. Until that time, do not allow any backups to be overwritten.

If you have questions about incident procedures, contact: security@uiowa.edu.

Copyright © 2005 The University of Iowa. All rights reserved.