Incident management
Information security incidents must be responded to and reported in a timely manner, please follow this guidance.
- Ensure local procedures are in place for the management of information security incidents within your division, department or faculty
- Ensure compromised systems are isolated
- Ensure all security incidents and breaches are reported
- Cooperate with the Information Security team/OxCERT to ensure vulnerabilities are fixed and/or mitigated
Staff tasked with handling, reporting and resolving security incidents within your division, department or faculty will need to work with OxCERT, the University's Computer Emergency Response Team.
Handling incidents
OxCERT will usually impose a router-level block on any machine or system that has been compromised. However, compromised machines and systems will continue to have local network access, so it is in the interests of your division, department or faculty to isolate them as quickly as possible. Failure to do so may result in other machines on the network becoming compromised and further escalation of the incident. Compromised machines should ideally be disconnected by removing the network cable. Where this is not possible, then other logical means can be used, such as blocking access to network ports. In some situations, evidence may need to be preserved. If a machine needs to be powered down instead, the best advice is to pull the power cable out of the back without powering the machine down via the operating system.
Where OxCERT cannot impose a block on individual machines - for example, when behind Network Address Translation (NAT) devices - your division, department or faculty is expected to respond within four working hours. Failure to respond in such circumstances may lead to OxCERT placing appropriate blocks on the NAT device in order to protect the integrity of the backbone network and users' information. Further information can be found on OxCERT's logging of network access webpage.
For these reasons, it is important to ensure that you have appropriate and up-to-date contact information for dealing with incidents. Contingency plans must be in place to cover absence of the primary contact.
Reporting information security events and incidents
All information security incidents must be reported and can be reported via the incident reporting form. If there has been a known breach of personal data it should be reported directly to data.breach@admin.ox.ac.uk as soon as possible.
For the purposes of dealing with and reporting, information security incidents are defined as:
- A single or series of unwanted events that compromise (or are likely to compromise) the confidentiality, integrity or availability of University data and/or breach University information security policies and include:
- Lost or stolen laptops or mobile devices
- Server compromises
- Botnet infections
- Malware infections
- Successful SQL (or other code) injection attacks
- Compromised accounts (e.g. accounts spamming)
- Denial of Service attacks
- Unauthorised access to information systems
Resolving incidents
In order to quickly and effectively resolve an information security incident, you must provide all of the information requested by OxCERT and read, understand and act upon all the instructions they give you. It is essential to understand the root cause of the incident so that the underlying vulnerability can be fixed before network access is restored. This is necessary to prevent further escalation of the incident. In order to lift router blocks and allow access to accounts following an incident, OxCERT will typically require evidence that the vulnerability has been identified and fixed (or at least mitigated in some other way).
You should therefore ensure there are appropriate contingency plans in place for dealing with security incidents in your division, department or faculty, including plans for rebuilding machines in the event of a system compromise. In many cases, where attackers have gained administrator privileges and/or there is insufficient logging, there may be no alternative but to re-install systems from scratch. This should be taken into account when carrying out risk assessments on business critical systems and when implementing redundancy. Avoid leaving backup systems open to the same vulnerability as the primary system (for example, by using the same administrator password for both). OxCERT provides advice on the requirements for logging in order to be able to trace the causes of security incidents.
It is University policy that you must:
- Report all information security incidents in a timely manner via appropriate management channels
- Isolate information systems which are suspected of being compromised from the network until incidents are resolved and risks sufficiently mitigated
- Investigate and handle information security incidents properly, efficiently and effectively