Office of Information Technology
Home
Calendar
Map
 Home
 Computing
Library
Search

Security: Policies & Guidelines

Security Home Statistics Virus/AntiVirus POlicies &tc How-To Guides Get Our Attention
OIT Incident Handling: Denying Account / Network Access
DRAFT DATE: August 27, 2002; December 5, 2001; October 12, 2001
SUBJECT: OIT Incident Handling: Denying Account/Network Access
SOURCE: Office of Information Technology
GUIDELINE NUMBER: OIT-01
REVIEWERS: OIT SANS Managers
DATE Finalized: Draft - under review

RATIONALE:

This document is intended to set forth the standard process to follow in the case of a network-based incident and to provide guidelines for judging that incident's severity. The guiding principle for OIT incident handling is to make the most effective use of OIT resources to preserve IT integrity while minimizing impact on individual users and the UMBC user community as a whole. Since locking a user's account may prevent that user from performing academic or regular work, it is treated with all due consideration and is only done when necessary. If all OIT incident handlers follow the process outlined below, everyone will know what to expect, how to behave, and be generally protected should someone issue a complaint over action taken.

GUIDELINES:


Base process:

The OIT incident handler is to contact either the CIO or the Director of Infrastructure and Support with the issue and related details. Contact should be attempted via work phone, pager/cell phone, and home phone for each.

Note that any measures taken in time-critical incidents (without Administration approval) are intended to be temporary and must be reviewed by an Administration official within two working days.

Sample cases:

Issue Criticality Probable Cause Suggested Action
System is attacking others via network Judgment call based on intensity of attack; network saturation is time-critical, 1 attack/day is non-time-critical - Compromised system (virus, trojan, other)

- Malicious user

 Block attacking system's network access
System is sending out worm-style email (e.g. Sircam) Non-time-critical

- Infected system

 Notify owner; if not resolved or acknowledged within two business days, block infected system's access to network
Multiple logins from all over the country/globe to an account Non-time-critical (unless account is performing active/intense attacks)

- Compromised account

 Lock the user account
Reasonable belief that account is being used to attack other systems Judgment call based on intensity of attack

- Compromised account

- Malicious user

 Lock the user account

Note that any email notification of a user should be CC'd to the CIO, the Director, and abuse@umbc.edu.

DEFINITIONS:

Incidents are considered "time-critical" if an OIT incident handler has reason to believe that an incident originating within the UMBC domain poses a threat to:

  • IT integrity within UMBC;
  • IT integrity outside UMBC;
  • The health or safety of self or others;

AND that even a relatively small delay (on the order of 30 minutes) in addressing the incident will make the threat/impact significantly more severe.

"IT integrity" refers to data integrity, data confidentiality, system availability, network availability, system performance, network performance, and the reliable availability of other services and hardware offered or used by OIT and the UMBC campus.

"Locking an account" entails one or more of the following: randomizing the account's password (Core or departmental), denying access to MyUMBC, and LDAP-based deactivation (which denies the account access to Core logins, ResNet/DHCP, modems, and remote access to Core email).

"Blocking a system's network access" entails blocking network traffic to and from the system at the router.

Current CIO: Jack Suess
Current Director of Infrastructure and Support: Mike Carlin
Current Vice Provost For Academic Affairs: Dr. Moreira

PROCEDURE REFERENCE:

For non-time-critical incidents, the incident handler should attempt contact/wait for a response for 30 minutes. After this time, the incident handler has OIT's permission to proceed using his/her best judgment.

For time-critical incidents, the incident handler should proceed with the minimum measures necessary to preserve IT integrity, then resume contact attempts.

The CIO or Director may then attempt to contact the Vice Provost For Academic Affairs and request permission to lock the offending account or to block the problem system's network access (whichever is appropriate). In certain cases, the CIO or Director may decide to grant permission on his own authority.

If the OIT incident handler had to proceed without Administration approval, then he/she should send an brief, explanatory email to the CIO, the Director, and abuse@umbc.edu with the following information:

  • the fact that contact was attempted
  • the issue at hand
  • what was done to resolve the issue and why

Reports of security incidents should be sent to abuse@umbc.edu.

Virus resources can be found at the OIT Web site: http://www.umbc.edu/oit/virus

For situations requiring immediate assistance or response by security engineers, local campus computing support centers have paging information for ITSO staff by contacting the OIT Helpdesk, 410-455-3838 or the Chief Information Officer, 410-455-2582. A response from someone should be expected with 60 minutes.

RELATED POLICY REFERENCES:

IT-01 UMBC Policy for Responsible Computing

IT-03 UMBC Guidelines for Using Electronic Mail (draft pending approval)

*** Add link(s) to list of accounts/accesses and procedures to disable


RESPONSIBLE ORGANIZATION:

UMBC Office of Information Technology
oit@umbc.edu
http://www.umbc.edu/oit


NOTE: " Outbound Link" Indicates a link to an external (non-UMBC) site

Last modified: 2/3/2003
Office of Information Technology • Main Office: ECS 125 • Phone: 410-455-3838 • Email: oit@umbc.edu