New Response and Reporting Team Focuses on Computer Security Incidents
by Doreen Meyer
The problems and the benefits of interconnected computer resources at UC Davis affect everyone's ability to conduct university business. On the positive side, staff, faculty and students can use computers to access data and communicate electronically -- both on and off campus. On the downside, that interconnectivity makes desktop systems as well as department computers subject to potential security problems.
The same types of network connectivity problems are faced by academia, government, law enforcement, and private industry around the world. The need for the ability to handle security incidents is significant enough that the UC Office of the President in late November 1998 issued Electronic Information Security Guidelines advising each campus to develop an incident reporting system. At UC Davis, IT's Distributed Computing Analysis and Support (DCAS) staff had already begun developing such a program in August 1998.
Illustration by Steve Oerding/IT-Creative Communication Services
The Incident Response and Reporting project will address security incidents such as virus outbreaks (remember Melissa?), denial of service attacks (attacks on a system that result in interruptions in service), computer account or server host breakins, port scans (looking for systems with well-known vulnerabilities), UC Davis Acceptable Use Policy violations, and copyright infringements.
Network and computer security incidents can cost the university thousands of dollars in staff time and machine downtime. Information Technology is working to address security problems -- such as the Melissa virus -- locally, developing formal mechanisms for incident reporting, response, prevention, and education.
When a network security incident occurs, it is usually detected by Information Technology staff and campus computer system administrators. If an issue becomes serious, other campus units may become involved in the resolution. Student Judicial Affairs is notified of incidents involving students; with staff, Human Resources; and, with faculty, the Provost's Office. If an issue revolves around the misuse of university resources, the Campus Misuse Committee and possibly Internal Audit will be notified. If a security incident is potentially illegal, the Police Department will be alerted.
One of the issues the Incident Response and Reporting team members will discuss and resolve in the next few months is how to avoid duplicating efforts to resolve an incident, wasting time and resources in the process. Duplication of effort can occur, for example, when staff members not in direct communication are contacted by different sources regarding a potential security incident. By eliminating overlapping effort, the security team can increase its incident response efficiency.
Other issues the team will address are:
The cornerstone of the Incident Response and Reporting project is Remedy, a trouble ticket system application already in use for other functions in some IT departments. By assigning a unique number to each incident, the trouble ticket system will allow specific individuals in IT to receive and track trouble calls. The program features a reminder that will alert response team members to follow up on a reported incident when a given period of time has elapsed.
- How can team members easily notify the appropriate personnel about a specific problem? For example, if the campus is being scanned for Silicon Graphics vulnerabilities, what needs to be put in place so all SGI system administrators can be contacted immediately?
- How can team members assess the severity of an incident? What criteria need to be present before making a decision to turn off a port that is under attack (thereby shutting off access from that machine to the campus network)?
- How can team members track and record their efforts to resolve an incident and make that information available to other team members and appropriate campus staff?
- Who should the end user or system administrator contact to report a security incident? (Currently, suspected security incidents should be reported to firstname.lastname@example.org.)
The team investigating potential problems will be able to view a list of tickets that are pending, and assign themselves the responsibility of following up on the question, and recording their actions when doing so. Other team members will be able to view the tickets, and perhaps gain clues about a security incident from a number of seemingly unrelated ticket submissions. The Web-based Remedy program also will allow UC Davis system users who have filed a complaint to check on the status of their tickets.
With a trouble ticket system in place and a coordinated response by the security staff across organizational boundaries, IT will be able to:
As this program is put into place, the Incident Response and Reporting team will be able to gather statistics on incidents at UC Davis and determine where IT should focus its resources. Initially, the team will be looking specifically at electronic junk mail (see related story on page 1) and later at general network incidents.
- Provide a point of contact for the campus community for the submission of a suspect security incident.
- Assign a case number and follow up on the submission.
- Minimize the impact of security incidences on a department or end user.
Doreen Meyer is a programmer/analyst with IT-Distributed Computing Analysis and Support, and project manager for the Incident Response and Reporting project.