HSU has established best practice procedures that must be followed whenever a computer connected to a University network is suspected of being compromised by a virus or other attack. This procedure is a requirement under our data protection compliance mandate, so it is particularly important to determine whether Level 1 protected data is stored on the affected system when addressing potentially compromised security.

Systems unlikely to contain Level 1 protected data will not require preemptive forensics work by the Campus Information Security Office, which involves the removal of the physical machine to a separate facility for detailed investigation. However, if the presence of Level 1 data is identified at any point during the investigation, all work by campus IT staff and anyone not a member of the Campus Incident Response Team (CIRT) technical team designated by the Information Security Office should immediately stop.

Do not unplug, turn off, disconnect, or otherwise touch the computer in any way UNLESS you strongly suspect that Level 1 protected data is in the process of being removed from the system as a result of the security breach and that your actions would prevent this.

Before you begin

Do not take any steps to examine the machine until you have determined to the best of your ability that Level 1 protected data is not present on the system.

Start by asking the user or their supervisor if it is likely Level 1 protected data is present on the machine.

• If they indicate that it is likely that the system contains Level 1 data, have everyone take their hands off the system and contact the Information Security Office immediately at (707) 826-3815.
• If they indicate there is little or no likelihood that Level1 data is on the system, follow the Compromised Information Security Procedure below.

Compromised information security procedure

• Disconnect the system from the network
• Use the appropriate security tools to examine the system and determine whether or not it has been compromised.
  • If the system is positively identified as being infected by a virus or other malware, proceed to the next step.
  • If you run all the listed tools and there is no compelling evidence of infection or other compromise from campus or third-party information security organizations, inform the Information Security Office and stop your investigation.

Identify the threat

• Attempt to identify the threat by consulting the Sophos website. Be aware that other security organizations or vendors may use different names for the same threat, so it's best to use a single information source to avoid confusion.
  • If the compromise is identified as severe - usually either a trojan or a rootkit - proceed to the next step.
  • If the compromise is NOT identified as severe and you are able to clean the threat, go ahead and disinfect the system and report your results to the Information Security Office.

For severely-compromised systems

• In the case of a severe threat to the security of a system, run a formal scan for Level 1 protected data.
  • If you find Level 1 information, stop and contact Information Security immediately.
  • If you do not find Level 1 or Level 2 data, wipe the drive, re-install clean copies of the operating system and applications, and report your results to Information Security.

If you have questions at any stage of this, please stop and contact Information Security. Dealing with security compromises requires that specific procedures be followed in order to establish an audit trail. It is not an opportunity to experiment.

Recommended Security Tools

• Sophos Anti-Virus
• Sophos Root Kit Detector
• F-Secure Blacklight
• GMER
• SysInternals Rootkit Revealer
• Cornell Spider. Follow the links below for specific instructions on using Cornell Spider on your machine.
  • Cornell Spider for Linux
  • Cornell Spider for Macintosh
  • Cornell Spider for Windows