Policy 8-2-6: Security Incident Response

Policy: Policy 8-2-6: Security Incident Response Date Adopted: Jan 14, 2014
Department: Computing Services Contact: Director
Statement: Data Security Incident Response Policy and Procedures

Table of Contents:

  1. Purpose
  2. Scope
  3. Definitions
  4. Severity Determination
  5. Incident Response Procedures
  6. References
  7. Files/Forms

Section 1: Purpose

  1. The purpose of this policy is to define a security incident and to outline the steps to be taken as a response. These steps are designed to ensure that employees know and understand the actions that will be taken if our college network, equipment, or data are compromised. This policy includes the communication and actions that will include WNC Computing Services, NSHE IT, System Computing Services (SCS), and outside entities. An IT security incident is defined as an event that impacts or has the potential to impact the confidentiality, availability, or integrity of WNC information technology resources from outside or inside sources. Standards, procedures, and guidelines regarding IT security incident response are included in this document. Specific procedures vary depending on the type of incident, but all procedures include the following steps:
    1. Preparation
    2. Detection and Analysis
    3. Containment
    4. Eradication
    5. Recovery
    6. Post-incident Activity
  2. With all incidents, it is important to maintain a centralized incident handler to avoid miscommunication, duplication of work, freelance investigation that could impact services or evidence, etc. To this end, ALL incidents will be assigned to WNC Computing Services who will be responsible for managing the response.
  3. For the purposes of these incident response procedures, incidents will be classified in three categories based upon the sensitivity of the data involved, legal issues, magnitude of the service disruption, threat, expanse, and public interest. The identified class of incident helps determine the level of internal notification required as well as the potential requirement under NRS for notification to affected individuals. It is assumed that Computing Services has authority to disconnect WNC systems from the network if required to protect assets and/or reduce the magnitude and expanse of a breach. This will be done with notification provided to the President of WNC, Vice President of Administrative Services and General Counsel, Vice President of Academic and Student Affairs, and System Computing Services (SCS). Established service disruption notification procedures will be followed to communicate outages to users.
  4. The remainder of this document will provide for incident response procedures that will be followed for most types of incidents with the understanding that there is no practical way to account for all potential incidents. The incident response general flow is illustrated in APPENDIX A and is meant as a guideline rather than a rule.

Section 2: Scope

  1. This policy applies to all Western Nevada College campuses and their employees, students, and the public sector using a Western Nevada College computer, workstation, or accessing data on the WNC network.

Section 3: Definitions

  1. Critical Data Data with the highest level of protection includes, but is not limited to, data restricted by law, data restricted by legal contracts, security-related data such as passwords and risk assessments, and intellectual property. Examples: Student grades, social security numbers, passwords, credit card numbers, bank account numbers, security plans and assessments.
  2. DMCA Digital Millennium Copyright Act
  3. FERPA Family Educational Rights and Privacy Act
  4. Financial Information Credit Card, College financials, bank account data, financial aid
  5. HIPAA Health Insurance Portability and Accountability Act
  6. IDS Intrusion Detection System
  7. ISO Information Security Officer
  8. NRS Nevada Revised Statutes
  9. NSHE Nevada State Higher Education. Collective of the Nevada colleges
  10. Personally Identifiable (PII) Per NRS 603A, PII is defined as First Name or First Initial and Last Name combined with any of the following elements: full social security number; drivers license number or identification card number; account number, credit card number or debit card number with access code.
  11. SCS System Computing Services in Reno, Nevada
  12. SEIM Security Event and Incident Management
  13. Sensitive Data Data, which if available to unauthorized users, may harm an individual, a group, WNC, or the NSHE institutions, but is not Critical Data as defined. Examples: Infrastructure diagrams, strategy documents, financial information, purchasing information, business recovery plans, system configurations, emergency response plans.
  14. Unrestricted Data Data, which if available to the public, will not harm an individual, group, or NSHE institution. Examples: WNC/NSHE/ SCS home pages, press releases, job announcements, advertisements, meeting agendas.
  15. US-Cert United States Computer Emergency Readiness Team under the Department of Homeland Security
  16. WNC Western Nevada College

Section 4: Severity Determination

Computing Services will use the following criteria determine the severity classification of an incident.

  1. Class 3: Highest Severity (If the answer is Yes to any of the following questions regarding an incident, then it is a Class 3 incident.)
    1. Data security. Is there a reasonable expectation that critical data was acquired by an unauthorized person as a result of this incident?
      1. Are data protected by privacy rules or legislation involved? For example:
        • Non-directory student data as defined by FERPA
        • Social Security Number
        • Bank account, credit card, or other private financial information
        • Nevada drivers license number
        • Any medical records or protected health information as defined in HIPAA
      2. Are other data security issues involved? For example:
        • Passwords, risk assessments, or other security-related data
        • Data restricted by legal contracts, memorandums of understanding, or other agreements
        • Data, if available to unauthorized users, will cause harm to an individual, a group, WNC, or NSHE institutions
    2. Legal issues. Does this incident involve any legal violation?
      1. Threat to persons or property
      2. Theft greater than $10,000
      3. Child pornography
      4. Copyright violations
        • Warez server (Warez refers primarily to copyrighted works distributed without fees or royalties, and may be traded, in general violation of copyright law.)
        • Unauthorized P2P (Peer to Peer) distribution or collection of music, movies, or other content protected by copyright
    3. Magnitude of service disruption. Does this incident impact WNC mission critical services?
    4. Threat. Are hosts involved in this incident actively attacking other hosts?
    5. Expanse. Is this incident widespread (over 10% of unit or greater than 100 hosts WNC-wide)?
    6. Public interest. Is there active public interest in this incident?
  2. Class 2: Medium Severity (If the answer is No to all of the Class 3 questions above, but Yes to any of the following questions then it is a Class 2 incident.)
    1. Data security. Is there a reasonable expectation that sensitive data as defined in the Definitions Table was acquired by an unauthorized person as a result of this incident? For example:
      1. Infrastructure diagrams such as building and network
      2. Strategy documents
      3. Financial information
      4. Purchasing information
      5. Policies, standards, and procedures
      6. Business recovery plans
      7. System configurations
      8. Emergency response plans
      9. Emergency equipment inventories
    2. Legal issue. Does this incident involve a legal violation? For example:
      1. Theft less than $10,000
      2. Harassment
    3. Magnitude of service disruption. Is it likely that this incident will impact WNC mission critical services?
    4. Threat. Is an attack likely to occur from hosts involved in this incident?
    5. Expanse. Is this incident somewhat widespread (3-10% of unit or 10-100 hosts WNC-wide)?
    6. Public interest. Is there likely to be public interest in this incident?
  3. Class 1: Lowest Severity (If an incident meets the definition of an incident and if the answer is No to all of the Class 2 and Class 3 questions above, then it is a Class 1 incident.)

Section 5: Incident Response Procedures

  1. Incident Response Procedures for Vulnerabilities (Examples: vulnerability scan results; patch or upgrade needed; weak password; unrestricted access; vendor notification)
    1. Discovery: WNC receives notification of potential operating system and application vulnerabilities from a variety of sources including but not limited to: vulnerability scans, individual reporting an issue, vendor notification, US-CERT alert notification and SCS.
    2. Upon discovery of a vulnerability:
      1. Report the vulnerability to the Information Security Officer (ISO).
      2. A ticket is created and assigned to the appropriate functional area for investigation and remediation.
      3. If the vulnerability exposes Personally Identifiable Information (PII) that is processed, stored, or transmitted by the reported system or application, notify the ISO.
      4. Escalate the incident to investigate potential compromise of IT resources. Follow procedures below for Compromise of IT Resources.
    3. If the vulnerability can be resolved within 30 days:
      1. Re mediate the vulnerability.
      2. Information Security Officer will re scan or validate the remediation.
      3. Close the ticket if resolved.
    4. If the vulnerability cannot be re mediated within 30 days but can be re mediated in less than 6 months:
      1. Complete Vulnerability Remediation Process (APPENDIX C) to be signed off by Computing Services Director.
      2. File the Remediation Plan with the ISO.
      3. ISO will follow-up by date listed for remediation to validate successful completion of remediation plan.
    5. If remediation is not completed by date provided and signed off by Computing Services Director, ISO will notify the Vice President of Administrative Services and schedule a meeting with the Vice President of Administrative Services and the Computing Services Director to determine a course of action to remediate the vulnerability.
    6. If the vulnerability cannot be remediated within 6 months due to application conflict or other cause:
      1. The Computing Services Director will complete a Risk Acceptance Form and submit to SCS. SCS will sign off as accepting the risk on behalf of WNC.
      2. The completed Risk Acceptance Form will be submitted to the ISO and will be followed up on after 6 months to see if the vulnerability can be remediated at that time. The Risk Acceptance Form is found under APPENDIX E.
  2. Incident Response Procedures for Compromised IT Resources (Examples: attack/exploit, backdoor or Trojan, denial of service, malware, unauthorized access, unauthorized disclosure)
    1. Open ticket and notify ISO.
    2. ISO will assign an incident handler through ticketing system.
    3. Incident handler will determine severity based on severity classification standard and provide appropriate internal notification.
    4. Incident handler will gather information as per APPENDIX F: WNC Incident Report standard.
    5. Incident handler will, with the assistance of need-to-know internal technical experts if required, perform an initial assessment depending on the OS, application, symptoms, and role of system:
      1. DO NOT USE COMMANDS ON COMPROMISED SYSTEM!
      2. Write down each command performed on any live system.
      3. Minimize any actions that write to disk.
      4. Gather and save any pertinent log information including but not limited to:
        • Local application, security, system logs
        • Anti-virus log files
        • Network, IDS, SEIM logs
      5. Record network connections using known good command (from secured USB).
      6. Record all running processes using known good command (from secured USB).
      7. On workstations, provide an inventory list of for the system in question.
    6. Mitigate the damage
      1. If system is attacking others: disconnect system from network.
      2. If suspicion of backdoor or other unauthorized listening port: disconnect from network.
      3. If system contains PII and compromised: disconnect from network.
      4. Disable any process that is actively corrupting or deleting data.
      5. Disable any malware processes.
      6. Change any passwords that may have been compromised.
    7. Create a forensic image using authorized tools if:
      1. Compromise may lead to criminal investigation.
      2. If system needs to get back online quickly by re-installing (investigation may continue).
      3. If compromise may lead to legal or HR/Personnel related investigation.
      4. If cause of compromise is not readily known and more detailed investigation is needed.
    8. Investigation
      1. Perform log analysis
      2. Perform forensic analysis
      3. Evidence documentation
      4. Produce incident report for Class 3 and Class 2 incidents using WNC Incident Report template under APPENDIX F.
  3. Incident Response Procedures for Copyright Infringement:
    SCS receives Copyright Infringement notifications for multiple NSHE campuses including WNC. Most notifications are received via e-mail to abuse or host master. When a notification is received:
    1. The WNC Network Functional Area will open a ticket and review the IP address information to determine the appropriate routing of the infringement.
    2. Notification is sent to the WNC Information Security Officer and the Director of Computing Services.
    3. If the IP address in question is assigned to another NSHE institution, K-12 school, or agency, send the complaint notification back to SCS.
    4. If the IP address in question is on a WNC managed network, the ISO will be notified and a ticket will be assigned to the Network Admin Functional Area.
    5. The ISO shall promptly acknowledge notification of each infringement claim. If the claim fails to comply in supplying information, the ISO shall promptly attempt to contact the person making the notification or take other reasonable steps to assist in the receipt of the notification that substantially complies.
    6. The ISO will examine the notification for:
      1. Identification of the copyrighted work claimed to have been infringed.
      2. Identification of the material that is claimed to be infringing and that is to be taken down or disabled, and information reasonably sufficient to enable WNC to locate the material.
      3. A statement that the complainant has a good faith belief that use of the material in the manner complained of is not authorized by the copyright owner, the owners agent, or the law.
      4. A statement that the complainant has a good faith belief that use of the material in the manner complained of is not authorized by the copyright owner, the owners agent, or the law.
      5. A statement that the information in the notification is accurate and that, under penalty of perjury, the complainant is authorized to act on behalf of the copyright owner.
      6. If the complaint meets the appropriate requirements, the ISO shall direct prompt removal of material or removal of all local or wide area network access to the material or activity claimed to be infringing.
      7. The ISO will take responsible steps to notify the alleged infringer promptly of the take-down. This notice will specify information required to make a counterclaim.
      8. The ISO may terminate access and exercise disciplinary and/or other correctional measures for any copyright infringement claim, including repeated claims and/or violations or flagrant misuse of WNC information systems equipment or network connections and/or services.
  4. Incident Response Procedures Counter-notification
    If the person responsible for the alleged infringing distribution of copyrighted material believes the material was misidentified or the distribution was lawful, they should send a counter-notification to the ISO containing the following:
    1. A physical signature of the person responsible for the alleged infringing distribution.
    2. An incident handler will be assigned by the ISO and will gather information as per APPENDEX E: Risk Assessment Report standard.
    3. A statement under penalty of perjury that the alleged infringer has a good faith belief that the material was removed or disabled as a result of mistake or misidentification of the material.
    4. The alleged infringers name, address and telephone number, and a statement that the alleged infringer consents to the jurisdiction of the federal district court for the judicial district in which the alleged infringer is located and that the alleged infringer will accept service of process from the complainant.
    5. Once the complaining party receives the claim, the DMCA permits WNC, as a service provider, to restore materials or access within two weeks unless the complaining party serves notice that it intends to seek a court order to restrain infringement. WNC, NSHE, or SCS policy may mandate for other reasons that materials or access not be restored, and that other investigation, containment, or disciplinary measures proceed.
  5. Incident Response Procedure for Suspicious Activity (Examples: sweeps, scans, unusual connections, excessive bandwidth consumption)
    Sweeps and scans are common occurrences however, a sweep/scan coming from a WNC institutional network against SCS controlled resources, specifically iNtegrate, or from within SCS can indicate a compromised system.
    1. A ticket will be opened and assigned to the ISO.
    2. An incident handler will be assigned by the ISO and will gather information as per Policy Documents: Risk Assessment Report standard.
    3. If the scan/sweep is coming from a WNC Institution, the ISO from SCS will inform the appointed ISO and provide the information gathered by the SCS incident handler.
    4. If the same IP address continues to scan/sweep SCS resources, specifically iNtegrate, after notification, the WNC ISO will instruct that IP address be blocked via firewall or router ACL.
    5. If the scan/sweep originates from within WNC and is not authorized by the WNC ISO, an investigation will be conducted to determine the cause of the scan/sweep and if violation of Acceptable Use or WNC Computer Use policy has occurred. The ISO will notify the Computing Services Director and the Vice President of Administrative Services and the Vice President of Academic and Student Affairs regarding any such violation of policy and investigation.
    6. Excessive bandwidth consumption and unusual connections are most often discovered through network reports, SIEM and IDS alerts and other network monitoring tools. Upon report of such suspicious activity:
      1. A ticket will be opened and assigned to the ISO.
      2. An incident handler will be assigned by the ISO and will gather information as per APPENDEX E: Risk Assessment Report standard.
      3. Incident handler will, with the assistance of need-to-know internal technical experts if required, perform an initial assessment depending on the OS, application, symptoms, and role of system.
    7. DO NOT USE COMMANDS ON COMPROMISED SYSTEM!
    8. Write down each command performed on any live system.
    9. Minimize any actions that write to disk.
    10. Gather and save any pertinent log information including but not limited to:
      1. Local application, security, system logs
      2. Anti-virus log files
      3. Network, IDS, SEIM logs
    11. Record network connections using known good command (from secured USB device).
    12. Record all running processes using known good command (from secured USB device).
    13. On workstations, provide an inventory list of for the system in question.
    14. Create a forensic image using authorized tools if:
      1. Compromise may lead to criminal investigation
      2. If system needs to get back online quickly by re-installing (investigation may continue)
      3. If compromise may lead to legal or HR/Personnel related investigation
      4. If cause of compromise is not readily known and more detailed investigation is needed
  6. Notification
    Per NRS 603A.220 (APPENDIX I) notification of a data breach must be provided to the owner of the PII of any breach of the security of the system data immediately following discovery if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
    1. Notification methods may include:
      1. Written notification
      2. Electronic notification, if the notification provided is consistent with the provisions of the Electronic Signatures in the Global and National Commerce Act.
      3. Substitute notification, if the data collector demonstrates the cost of providing notification would exceed $250,000, the affected class of subject persons to be notified exceeds 500,000 or the data collector does not have sufficient contact information.
        Substitute notification must consist of all the following:
        • Notification by electronic mail when the data collector has electronic mail addresses for the subject persons.
        • Conspicuous posting of the notification on the Internet website of the data collector, if the data collector maintains an Internet website.
        • Notification to major statewide media.
    2. If any incident is determined to meet or believed to meet the definition of a data breach of personally identifiable information as per Nevada Revised Statute, the ISO will notify the Vice President of Administrative Services and General Counsel who shall determine the appropriate course of action to comply with State law.
  7. Post Incident
    1. After an incident has been resolved it is important that Computing Services review the response to improve the incident response procedures. The lessons learned review should be conducted within two weeks of the incident closure for Class 2 and Class 3 incidents.
      1. The incident handler assigned to the incident will summarize the incident and the results of the response.
      2. The ISO will send a summary to the Vice President of Administrative Services and General Counsel.
      3. The incident handler will schedule a meeting of Computing Services
      4. The incident response team will determine action items necessary to improve the incident response procedures.
      5. Computing Services will update and publish current documentation within 30 days of the Post Incident Review.
    2. Note: Incidents involving personnel should remain confidential and therefore will not be subject to this review. Incident review when PII data, legal or law enforcement matters are involved will be conducted at the discretion of the Vice President of Administrative Services and General Counsel
  8. Incident Documentation
    1. When a potential incident is reported to the ISO and assigned an incident handler, the first step is to classify the incident and initiate the appropriate response procedures. This involves gathering information and documenting the incident; assessing the reported information to determine the severity, and determining the incident type. See APPENDIX H for Data for Incident Documentation Reporting.

Section 6: References

  1. Response Toolkit
    1. All incident handlers and responders should have available to them a set of tools kept on CD and/or USB device to provide investigation of live systems without using potentially compromised commands/ utilities. Additionally, some tools can be run through online services such as Sysinternals Live found athttp://live.sysinternals.com
  2. Recommended Tools
    1. SysInternals Suite (a particular utility for investigation)
    2. Autoruns shows detailed system auto-starting locations and programs
    3. Process Explorer shows information about which handles and DLL processes have opened or loaded
    4. PsInfor gathers key information about the local or remote system
    5. PsLogList lets you dump the contents of an Event log on the local or a remote computer
    6. PsService displays the status, configuration and dependencies of a service
    7. RootkitRevealer advanced rootkit detection for Windows XP 32bit and Server output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.
    8. TCPView shows detailed listings of all TCP and UDP endpoints on your system and state of the TCP connections. Tcpvcon is a CL version with same functionality.
    9. Hijack This! Identifies browser hijacks and other malware set to run at startup
    10. http://www.eventid.net/search.aspis a database of event ids for more information on suspicious entries

Section 7: Files/Forms

  1. APPENDIX A: Incident Response General Flow
  2. APPENDIX C: Vulnerability Remediation Process
  3. APPENDIX D: Copyright and REN-ISAC Notification Process
  4. APPENDIX E: WNC Risk Acceptance Form
  5. APPENDIX F: WNC Security Incident Reporting Template
  6. APPENDIX G: Incidents involving Personally Identifiable Information (PII)
  7. APPENDIX H: Documentation Data List
  8. APPENDIX I: NRS603A.220
Date(s) Revised February 11, 2014; Date(s) Reviewed  
NSHE Code(s)   NRS Code(s) 603A.220 NAC Code(s)  
Code Statement  
References
*Please note: that not all WNC Policies will be referenced in these documents.		 WNC ByLaws
NSHE Board of Regents Handbook
Nevada Revised Statutes (NRS)
Nevada Administrative Code (NAC)