Date of Last Review 6/6/07
SME: Director of Management Information Systems

Host Incident Handling and Response


Overview

This procedure will provide incident handling and response guidelines for the resources under the control of UT-HCPC information owners and stewards. Information owners create, alter, transmit and/or store information that is used to carry out a program(s) under their direction. Stewards of information resources provide technical facilities and support services to IT, owners and users of information.

Stewards are responsible for implementing security controls on the department's server operating system level, network operating system level, PC level and applications software level in accordance with the IT Security Program. Stewards are responsible for assessing the information resources under their control for vulnerabilities and taking corrective action. The IT Security (ITS) department will regularly scan the network for vulnerable hosts, and/or compromised hosts. ITS will also provide recommendations to stewards when vulnerabilities are found.

The goals and objectives of handling incidents at UT-HCPC are to:

  1. Detect the incident
  2. Contain the incident
  3. Resolve the incident
  4. Prevent the incident from re-occurring

Detecting an Incident

“Incident” refers to an adverse event in a network, information system, and/or workstation, or the threat of the occurrence of such an event. An event is any observable occurrence in a system, network, and/or workstation. Although natural disasters and other non-security related disasters (power outages) are also called events, these reporting requirements are for IS security-related events only. Events can many times indicate an incident is happening.

Indications of a Potential Security Incident:

Stewards should have system logging features enabled to help them detect potential incidents. The following are examples of just a few of the ways a security incident may be indicated. Remember these indicators can have legitimate explanations and be part of day-to-day operations.

  1. Unsuccessful logon attempts
  2. Accounting/system/network log discrepancies that are suspicious
  3. “Door knob rattling” (e.g., use of attack scanners, remote requests for information about systems and/or users, or social engineering attempts).
  4. New user accounts not created by system administrators or automated account management systems
  5. New executable files or unfamiliar file names
  6. Modifications to file lengths or dates (especially in system executable files)
  7. Attempts to write to system files or changes in systems files
  8. Modification or deletion of data
  9. Changes in file permissions
  10. Logins into dormant accounts
  11. A system alarm or similar indication from an intrusion detection tool
  12. Denial of Service
  13. System crashes
  14. Abnormally slow or poor system performance
  15. Outside normal business hours
  16. Unusual usage patterns (high traffic loads on the network)
  17. Physical theft and intrusion

Anyone who suspects an adverse incident is taking place, must contact the ITS immediately.

IT Security Department email - its@uth.tmc.edu

If no response from ITS contact the IT Security Core Team (ITS Core)- its.core@uth.tmc.edu. Membership information available on IT Security web site.

Evaluating the Incident:

The steward and the ITS will evaluate the incident that is occurring. The criteria they will use are:

  • What condition raised the suspicion of a possible incident
  • What time of day the incident was first noticed and by whom
  • What activity is occurring on the host
  • Is the activity isolated to one host or impacting other hosts and/or network segments
  • Is the incident caused by a virus or an attacker

Containing the Host Incident

If any of the criteria listed above are deemed to present a risk to the network, ITS will instruct the IT Infrastructure Owners to disable the host from the network immediately. For example:

  • If the system impacts confidential or sensitive information, the system will be shut down or disabled from the network immediately.
  • If the incident compromises the University network resources and mission objectives, the ITS will instruct the IT Infrastructure Owners to disable the device from the network.
  • If a virus, worm, or cracker is actively attacking the system, the system will be disabled from the network until suitable control of the intrusion attempts can be ensured. This is for the protection of the system being attacked.

Departments with a critical need to have certain resources on-line at all times, must provide a list of these machines and their function. They must also provide the owner name, steward name, IP number, location of the computer and names of personnel who will be available immediately, 24 hours a day, 7 days a week in the event the device is causing problems that could impact the entire University network. This information should be provided to its.core@uth.tmc.edu for approval by the ITS Core team.

Resolving the Incident

Notification

  1. Anyone who suspects a possible security incident, should contact ITS as soon as possible. ITS may have seen the same incident on other hosts and be able to reassure you as to the severity of the problem. ITS has the experience to help you resolve the problem quickly before the situation becomes widespread and impacts other UTH resources.
    Contact the IT Security department:
    IT Security Department - its@uth.tmc.edu
    ITS Core team - its.core@uth.tmc.edu
  2. It is the responsibility of the steward of record to contact the appropriate department personnel in their area that are affected by the problem.

Determine the Scope and Impact of the Incident

  1. Determine the scope and impact by assessing the criteria below. Depending on the incident, some or all of this information may be applicable. Start a log documenting the incident and include the following pertinent information in the log:
    · Who is the owner of the device(s)? (office personnel, department manager, PI, etc.)
    · What is the device’s mission? (research lab, office PC, multi-user server, etc.)
    · Is this a multi-site incident? (more than one department or location affected?)
    · How many computers at your site are affected by this incident?
    · Is sensitive information involved? (patient info., student grades, confidential research data, credit card numbers, vital records?)
    · What is the entry point of the incident (network, phone line, local terminal, etc.)?
    · What is the potential damage of the incident?
  2. ITS can assist the steward of the device in determining the scope and impact, whether to shut a system down, to disconnect from the network, to monitor system or network activity, or to disable functions such as remote file transfer on a UNIX system, etc. If criminal activity is suspected, the UT-HCPC legal department will be notified to determine appropriate law enforcement involvement.

Solve the Problem

  1. Once the problem has been identified, the cause must be eradicated. Any software that enables illegal copyright activity must be deleted. In the case of virus infections, it is important to clean any disks containing infected files. Finally, ensure that all backups are clean. Many systems infected with viruses become periodically reinfected simply because people do not systematically eradicate the virus from backups.
  2. In the case of a successful network-based attack, it is important to reinstall the operating system from the last known clean backup and install the patches for the operating system vulnerability that was exploited.

Get Reconnected to the Network

  1. When the problem causing the incident has been resolved, contact ITS.
  2. ITS will review the documentation you have created and ensure that the steps you have taken are appropriate and adequately resolve the problem.
  3. Once ITS certifies the status of the problem they will notify the IT Infrastructure Owners to reconnect the device to the network.

Preventing the Incident from Recurring

Reporting

  1. ITS will track the incident, its resolution and follow-up to ensure the security measure remains effective.
  2. ITS may report serious incidents and their resolution to the Executive Council and the State of Texas Department of Information Resources.
  3. UT-HCPC Information Services has developed a web form to enable those responsible for system administration and security (stewards) to report these incidents as they occur. Please access the web form at H:\MIS Policies & Procedures\Adiministration\MIS Incident Report.htm and enter information pertinent to the network for which you are responsible.

Sanctions

The IT Security department, in collaboration with the Information Resource Managers (IRMs), will evaluate the incident and determine which, if any, of the following remediation actions will be taken:

  1. If the incident was caused by carelessness of an employee, student or “guest,” the event documentation will be provided to the dean, direct supervisor, registrar, guest sponsor and/or vendor contract manager.
  2. If the incident was caused by an employee’s or student’s negligence and willful disregard for UT-HCPC policies and procedures, the event documentation will be provided to the dean, direct supervisor, department chairman, Human Resources, Legal and Audit Services. The employee or student will be sanctioned according to the severity of the security violation in accordance with the General Standards of Conduct and Disciplinary Actions posted in the Handbook of Operating Procedures (HOOP). Security violations may result in termination or expulsion.
  3. If the incident was caused by a “guest’s” negligence and willful disregard for UT-HCPC policies and procedures, the event documentation will be provided to the contract manager, Legal and Audit Services. Security violations may result in revocation of the contract.

Post Incident Process

  1. Based on the impact of the incident, ITS may set up a “post-mortem” meeting to include the ITS Core Team and key members who played a significant role in responding to the incident.
  2. In an effort to learn from the incident and apply the lessons to future incident responses, documentation will be prepared by the members involved in the particular incident response. The incident will be classified into one of the following categories:
    · Malicious code attack
    · Unauthorized access
    · Unauthorized use
    · Disruption or denial of service
    · False positive
  3. The results of the meeting should answer the following questions:
    · What went right?
    · Where could the process be improved?
    · Should any policy or procedure change?
    · Should any network or computer system change be recommended?
  4. A summary report will be prepared and included in the ITS incident reporting database.

Related standards

The Joint Commission : Management of Information

 

 

 

 

 

If you have questions regarding the content of this site please contact the Policy and Procedure Committee. If you experience any technical problems please contact the MIS Department.