Responding to a Compromised Computer

The purpose of this procedure is to provide instructions for responding to an actual or suspected compromise of a University owned faculty or staff computing resource (desktop or mobile).

This Procedure applies to Information Services personnel responding to situations where there has been a suspected or actual compromise of a faculty or staff computing resource. This Procedure does not apply to computing resources not owned by the University. Depending on the circumstances, a computer infected with malicious software may be considered a compromise. However, if the malicious software is detected and removed by antivirus software in a timely manner, it is probably not necessary to follow this process. Some level of judgment will need to be used in these situations.

A Compromised Computer is defined as any computing resource whose confidentiality, integrity or availability has been adversely impacted, either intentionally or unintentionally. A compromise can occur either through manual interaction or through automation. Gaining unauthorized access to a computer by impersonating a legitimate user or by conducting an attack would constitute a compromise. Exploiting a loophole in a computer’s configuration would also constitute a compromise. A computer infected with a virus, worm, trojan or other malicious software may be considered a compromise if not detected and removed in a timely manner.

Symptoms of a Compromised Computer include, but are not limited to, the following:

• The computer is experiencing unexpected and unexplainable disk activity
• Toolbars, pop-ups, and other software just appears
• The computer is experiencing unexpected and unexplainable performance degradation
• The computer’s logs (e.g. system logs, application logs, etc.) contain suspicious entries that indicate repeated login failures or connections to unfamiliar services
• A complaint is received from a third-party regarding suspicious activity originating from the computer

Information Services personnel shall investigate computer events that have the potential to cause harm to a computer system or could result in the compromise of organizational assets. All communications related to a compromise should be coordinated with the Information Security group and/or the Infrastructure Services Group.

The following steps should be taken in response to an actual or suspected compromised computer:

1) Disconnect the computer from the network 
Disconnecting the computer from the network prevents a potentially untrusted source from taking further actions on the compromised computer. This also prevents any further leakage of non-public information if that is a potential concern. Shutting down the computer would also have this effect but could destroy data that is essential to analyzing the compromise. Similarly, rebuilding or repairing the computer could destroy all data pertinent to the assessment.

2) Contact the Information Security Group 
Prior to taking any additional action on the compromised computer, the Information Security Group should be contacted. Continuing to use the compromised computer or attempting to remedy the compromise could result in destruction of data pertinent to the assessment. If the Information Security Group is unavailable, the Infrastructure Services Group should be contacted.

3) Preserving information resident on the compromised computer 
In consultation with the Information Security Group and/or the Infrastructure Services Group, a determination shall be made pertaining to preserving the information residing on the compromised computer. Preservation may include disk and memory imaging for further analysis. This will help ensure that no data is destroyed or altered for the subsequent analysis. The Information Security Group or the Infrastructure Services Group will conduct a preliminary investigation prior to determining the best course of action for the compromised computer.

4) Notify user of the disposition of the computer
If assessment of the compromised computer makes it temporarily unavailable, it is likely the user of the device will be impacted. The user should be notified in some manner of the interruption. It’s important the user be informed that while the event is being assessed any information pertaining to the incident is confidential and should not be shared.