UFIT Security Incident Response Procedures, Standards, and Guidelines

Table of Contents

  1. Introduction
  2. Incident Response Procedures
    1. Incident Response Procedures for Vulnerabilities
    2. Incident Response Procedures for Compromised IT Resources
    3. Incident Response Procedures for Copyright Infringement
    4. Incident Response Procedures for Violations of the UF Acceptable Use of Computing Resources policy (AUP)
    5. Incident Response Procedures for Suspicious Activity
  3. Supporting Incident Response Standards, Procedures, and Guidelines
    1. Critical IT Resources Standard
    2. Critical IT Resource Registration Procedures
    3. Service Interruption Notification Procedures
    4. Incident Tracking Standard
    5. Incident Severity Classification Guidelines
  4. Appendix
    1. Summary of Response Procedures for Incidents Involving Law Enforcement
    2. Summary of Incident Response for Legal Issues
    3. Summary of Internal and Public Communication Notification Procedures
  5. References
    1. Forensics

I. Introduction

An IT security incident, for the purpose of all University of Florida (UF) Information Technology (IT) Regulations, is defined as an event that impacts or has the potential to impact the confidentiality, availability, or integrity of UF IT resources.  Standards, procedures, and guidelines regarding IT security incident response are included in this document.  Specific procedures vary depending on the type of incident, but all procedures include the following steps:

  1. Discovery
  2. Documentation
  3. Notification
  4. Acknowledgment
  5. Containment
  6. Investigation
  7. Resolution
  8. Closure

In order to coordinate response to and resolution of IT security incidents, UF has established an incident response team (IRT) The UFIncident Response Team (UFIRT) is led by the UF Information Security Manager (ISM) or their designee.  UFIRT is composed of IT security staff reporting to the UF ISM, and others as appropriate for the incident. UFIRT

  • Has primary authority in response decisions for UF IT security incidents
  • Coordinates incidents from discovery through resolution and closure
  • Assesses threats to UF IT resources
  • Determines vulnerabilities of UF IT resources
  • Processes IT security complaints or incidents reported by others
  • Alerts campus IT workers of active threats

The following list describes responsibility for each step in the typical incident response process:

  1. UFIRT maintains systems to discover security incidents involving UF IT resources
  2. UFIRT documents IT security incidents in a tracking system
  3. UFIRT sends notifications to unit IT workers identifying the type of incident
  4. Unit must acknowledge the notification
  5. Unit must contain the incident as soon as possible
  6. Unit must investigate and update the tracking system with details of the investigation
  7. UFIRT, using details from the investigation, determines incident severity
  8. Units must update the tracking system when the incident is resolved
  9. UFIRT reviews incidents in the tracking system and closes tickets as appropriate

UFIRT can be contacted with any questions regarding incident response. The Level 2 Unit ISM should form and prepare incident response teams in their unit.  Unit incident response teams are led by the Level 2 Unit ISM or their designee and composed of unit IT workers listed in the Network Services contact database and others as appropriate to the incident.  Units must respond to and resolve all incidents reported to them by UFIRT.  They must report to UFIRT all incidents discovered in their unit that have the potential to impact other units.

II. Incident Response Procedures

II.A.  Incident Response Procedures for Vulnerabilities

Examples: patch or upgrade needed, weak password, unrestricted access

II.A.1.  Discovery.  The UF Incident Response Team assesses threats to UF IT resources.  When a threat is discovered, it is documented and IT workers are alerted.  When possible, UF IT resources are assessed for vulnerability to the newly discovered threat and appropriate contacts are notified.  UFIRT continuously scans UF address space for vulnerabilities of concern.  Level 2 Unit ISMs must ensure vulnerability and threat assessment within their unit.  A vulnerability scanner is available to authorized UF network and server administrators from theInfosec web site at https://infosec.ufl.edu/cgi-bin/newscan/. IT workers must vet security lists, web sites and other resources for patches to vulnerabilities in software for which they are responsible.

II.A.2. Documentation.  UFIRT tracks discovered vulnerabilities in a tracking system.

II.A.3.  Notification. When a vulnerability is discovered by the UF Incident Response Team, appropriate contacts are notified via email.  Contacts are identified from the Network Services subnet and domain contact resources (https://net-services.ufl.edu/ns/cgi-bin/subnet-form.cgi).  The recipient list of UFIRT notifications may be augmented as needed to include staff with appropriate knowledge and skills.

II.A.4.  Acknowledgment:  Not all vulnerability notifications require acknowledgment; follow the instructions included with the notification.  For accurate tracking of vulnerabilities and to avoid erroneous notifications, false positives should be reported using the URL included with the notification.

II.A.5. Containment.  IT resources with vulnerabilities should be contained until the vulnerability is resolved.

II.A.6. Investigation.  Network and server managers must investigate vulnerabilities identified in notifications.  IT workers must research applicable security resources to determine the appropriate remediations.

II.A.7.  Resolution.  Network and server managers must resolve vulnerabilities identified in notifications.  IT workers should follow unit change management procedures to make software updates.  Common resolutions to correct a vulnerability include upgrading and patching.  Alternatives include physical, network, host, user and/or other access restrictions.  Other resolutions may also apply.

II.A.8.  Closure.   UFIRT reviews the tracking system and closes tickets when appropriate.  UFIRT has primary authority in response decisions for UF IT security incidents and coordinates incidents from discovery through resolution and closure.  UFIRT can be contacted with any questions regarding incident response.

II.B.  Incident Response Procedures for Compromised IT Resources

Examples:   attack/exploit, backdoor or trojan, denial of service, malware, unauthorized access

II.B.1. Discovery.  UFIRT receives and processes discovery notifications from other sources.  UFIRT manages systems to discover compromised IT resources on the UF network.  Units must deploy systems to detect compromised IT resources within their unit as needed.  Units must notify UFIRT of compromises discovered in their unit that have the potential to impact other units. If one UF unit becomes aware of a compromised IT resource in another UF unit, the manager of the network containing the compromised resource should be notified, and the UFIRT and the Level 2 ISM for that unit should be copied.  Network manager contact information is maintained by UF Network Services (https://net-services.ufl.edu/ns/cgi-bin/subnet-form.cgi).

II.B.2. Documentation. The UFIRT documents incidents of compromised IT resources in a tracking system.  Units should track compromises in their own tracking system.  Recommendations for tracking systems include RTIR GNATS, or SANS. The Level 2 Unit ISM retains a detailed log, including accurate times, maintained during the incident.  The Level 2 Unit ISM ensures preparation of a summary of the incident for:

    • the Level 2 Unit ISA,
    • affected Data Principals and
    • other relevant management.

The following information should be included in the summary:

    • How the incident was detected
    • Dates
      • Inferred date of compromise
      • Date the compromise was detected
      • Date the incident was contained
      • Date the incident was finally resolved
    • Names
      • People added to the Unit Incident Response Team for this incident
      • Person responsible for the IT Resource
      • Person compromising the resource, if known
    • Investigation and scope
      • Cause of the compromise
      • Impact of the incident
      • Incident severity
      • Nature of the resolution
      • Proposed improvements

The summary for management will probably contain sensitive information and in any case would not be targeted at the user community.  Where appropriate, the Level 2 Unit ISM should also prepare an incident summary for the users, using the incident as an object lesson to reinforce safe practices.

II.B.3. Notification.  Contacts for compromises detected by UFIRT are identified using the UF Network Services subnet and domain contact resources (https://net-services.ufl.edu/ns/cgi-bin/subnet-form.cgi).  The recipient list of UFIRT notifications may be augmented as needed to include staff with appropriate knowledge and skills. Appropriate contacts are notified and recorded in the tracking system.   The Level 2 UnitISM will be copied on all notifications.  Follow the URL in the notification to a web form that is to be used for entering updates about the incident.  If no URL is provided, contacts must respond to the original notification, including content of the original notification, to acknowledge receipt, containment and commencement of the investigation. If any incident involves unauthorized disclosure or acquisition of private data, UF and Level2 Unit ISMs must notify the UF Privacy Officer.  The privacy officer will direct notification to university administration, law enforcement and other parties as appropriate. UF and Level 2 Unit ISMs must notify the UF Vice Provost for Information Technology (VPIT) of any incident that impacts mission critical service at the institutional level. Law enforcement should be notified immediately of incidents involving threat to persons or property.  OGC should be consulted regarding other incidents before contacting law enforcement.  UF and applicable subsidiary Level 2 Unit ISMs must consult with the Level 2 Unit ISA and the UF Office of General Counsel(OGC) to determine if law enforcement should be notified.  When incidents involve law enforcement, contact the University Police Department (UPD) and the OGC.   IT workers do not make disciplinary decisions unless they are the supervisor of the violator.  If the incident involves a student, notify Student Judicial Affairs (SJA). If the incident involves an employee, notify the appropriate Dean, Director or Department Head.  In all events, follow UF disciplinary procedures defined by UF Human Resources. UF and Level 2 Unit ISMs must notifyNAPA of any incident likely to draw public interest.  Individual units might have public relations contacts that must be notified of incidents likely to draw public interest; for more information consult your Level 2 Unit ISM. UFIRT must be notified when any unit discovers an incident that poses a potential threat to other IT resources or crosses Level 2 Unit boundaries to impact other units.  The Level 2 Unit ISM must be notified regarding any incident within their unit.

II.B.4.  Acknowledgment.  UFIRT notifications should be acknowledged immediately.

II.B.5.  Containment.  UF IT resources engaged in active attacks against other IT resources must be contained immediately.  Unless further investigation requires unrestricted access, all other compromises must be contained as soon as possible, but no later than the same business day in which the notification is received.  Service might be interrupted to hosts involved in compromises that are not contained on the same business day.  For special consideration regarding service disruption, critical servers can be registered according to procedures detailed earlier in this document. Containment can be achieved by immediately disconnecting the resource from the network, revoking user access, or other means as appropriate. Unit IT workers may coordinate with the UFIRT to restrict access to compromised hosts that can’t be immediately disconnected or must remain connected in a restricted environment for the purpose investigation or providing service.  UFIRThas the authority to coordinate with Network Services to block compromised services and/or hosts that present a definitive danger to the rest of the network.  Notification will follow the procedures outlined in the Service Interruption Notification section above.

II.B.6.  Investigation.  Investigation includes analysis, identification, prioritization, and evidence collection and retention.

  1. Analysis.  Compromised hosts must be assessed.
    1. http://sans.org/resources/winsacheatsheet.pdf
    2. http://www.sans.org/score/checklists/ID_Windows.pdf
    3. http://www.sans.org/score/checklists/ID_Linux.pdf
  2. Identification.  Identify source as appropriate, including user, host or other resource.
  3. Evidence Collection and Retention.
    1. If forensic evidence is needed for law enforcement (see Response Procedures for Incidents Involving Law Enforcement), an image of the compromised host must be retained.  Email and any other relevant evidence must also be retained.
    2. If the method of compromise is unique or cannot be determined, evidence should be retained to aid in analysis of the incident.

If the incident involves law enforcement, secure evidence without reviewing additional content.  Network hardware, software or data may be considered evidence.  Care must be taken to preserve evidence.  A public records request, subpoena, warrant or other official request must be issued before data is released to law enforcement.  Contact OGC to review public records requests, subpoenas, and warrants before responding.  Evidence from incidents that involve an immediate threat to persons or property may be provided to law enforcement in advance of a public records request, subpoena or warrant, but OGC should be contacted if time allows. UFIRT must be informed of incident investigation details.  Using the URL provided in the original notification, IT workers should access a web form for entering details about the incident investigation.  When saved, this form will automatically notify UFIRT and update the tracking system.  If no URL is provided, contacts must respond to the original notification, including content of the original notification, to provide details of the investigation.  Using the investigation details provided by IT workers, UFIRT classifies incident severity.

II.B.7.  Resolution.  Compromises must be resolved as soon as possible, preferably the day of the notification. Compromised hosts must be reformatted, rebuilt and have vulnerabilities resolved before reconnecting them to the network.  However, at the discretion of the UF ISM, in consultation with the Level 2 Unit ISM, compromised hosts may be cleaned and patched expeditiously.  Incidents must be resolved to the satisfaction of the UFIRT before compromised hosts are reconnected to the network or filters are lifted.  In some cases, the UFIRT may request privileged access to ensure the host is safe to resume network connectivity, or may require that it be evaluated for vulnerabilities before being placed back in service. UFIRT must be informed of incident resolution details.  Using the URL provided in the original notification, IT workers should access a web form for entering details about the incident resolution.  When saved, this form will automatically notify UFIRTand update the tracking system.  If no URL is provided, contacts must respond to the original notification, including content of the original notification, to acknowledge the resolution.  The incident classification must be entered in the ticket before the status is changed to Resolved.  Using the investigation details provided by IT workers, UFIRT classifies incident severity.   The IT workers responsible for the IT resource that has been compromised must distribute to impacted users and their supervisors a user-oriented summary of the compromise including:

    • Impact on the user’s work
    • Remediation or preventative measures the users should take

In particular, if passwords have been compromised, they must be reset and changed by the users, once the system has been secured.

II.B.8.  Closure.   UFIRT reviews the tracking system and closes tickets when appropriate.  UFIRT has primary authority in response decisions for UF IT security incidents and coordinates incidents from discovery through resolution and closure.  UFIRT can be contacted with any questions regarding incident response.

II.C.  Incident Response Procedures for Copyright Infringement

Examples: unlicensed movies, music, or software. II.C.1.  Discovery.  Any formal Digital Millennium Copyright Act (DMCA) complaints received directly from a representative of the copyright holder should be referred to UF’s designated agent for DMCA complaints (dmca@ufl.edu).  Non-DMCA complaints (complaints not intended to conform to the requirements of the DMCA) should be resolved by the Level 2 Unit ISA and Unit ISM if possible.  If not easily resolved, forward non-DMCA complaints to dmca@ufl.edu.  Upon receipt of a complaint, UF’s DMCA agent will examine the notice of copyright infringement to determine whether it contains the elements required by the DMCA.

  1. Identification of the copyrighted work claimed to have been infringed.
  2. Identification of the material that is claimed to be infringing and that is to be taken down or disabled, and information “reasonably sufficient” to enable the service provider to locate the materials.
  3. Information “reasonably sufficient” to enable the service provider to contact the complainant.
  4. A physical or electronic signature of a person authorized to act on behalf of the owner (i.e., the copyright owner or its licensee) of the right that is alleged to be infringed.
  5. A statement that the complainant has “a good faith belief” that use of the material in the manner complained of is not authorized by the copyright owner, the owner’s agent, or the law.
  6. A statement that the information in the notification is accurate and that, under penalty of perjury, the complainant is authorized to act on behalf of the copyright owner.

II.C.2.  Documentation.  UFIRT documents alleged copyright infringement complaints in a tracking system.

II.C.3.  Notification.  If the notice substantially complies with A, B, and C above, UF’s DMCA agent will forward the complaint to the appropriate IT worker and the Level 2 Unit ISM as listed in the UF Network Services contact list (https://net-services.ufl.edu/ns/cgi-bin/subnet-form.cgi) and send a copy to dmca@ufl.edu.  If the complaint complies with A, B, and C, but does not substantially comply with D, E, and F, more information may be requested from the complainant.  Only if the notice does not adequately comply with A, B, and C above or if the complainant does not respond to request for more information can the UF DMCA agent disregard the notice.

II.C.4.  Acknowledgment.  DMCA notifications must be acknowledged immediately.

II.C.5.  Containment.  The procedures listed below must be followed upon receipt of a notice of copyright violation from the UF DMCA Agent:

  1. The Level 2 Unit ISM will ensure that public access to the material targeted by the complaint is disabled as quickly as reasonably possible. If after one business day this action has not been taken, the UF DMCA agent will request that UF Network Services block access to the material.
  2. The Level 2 Unit ISM will ensure that the person believed to be responsible for the alleged infringing distribution of copyrighted material is notified of the complaint, and of the action taken to remove access to the material.  The person must be given an opportunity to contest the removal of the material if they believe the complainant has misidentified it or if the material is lawful.  If they choose to contest the removal, follow the procedure Counter-Notification procedures below.
  3. If the material in question is not legally possessed by the person believed responsible for making it publicly accessible, the Level 2 UnitISM will ensure that the material is removed from the system on which it was found.
  4. The Level 2 Unit ISM will ensure that the UF DMCA agent is notified when the material is no longer publicly accessible, and that the UFDMCA agent is notified if the person responsible for distributing the material is contesting its removal.
  5. If the person responsible for distributing the material is a student, forward the matter to the Office of Student Judicial Affairs.  If the person is an employee, notify the appropriate Dean, Director, or Department Chair.

II.C.6.  Investigation.  If the person responsible for the alleged infringing distribution of copyrighted material believes the material was misidentified or the distribution was lawful, they should send a counter-notification to the UF DMCA agent.  The counter-notification must contain the following:

  1. A physical or electronic signature of the person responsible for the alleged infringing distribution.
  2. Identification of the material (or the location of the material) to which public access has been disabled.  The identification should match the original identification provided by the complainant.
  3. A statement under penalty of perjury that the alleged infringer has a good faith belief that the material was removed or disabled as a result of mistake or misidentification of the material.
  4. The alleged infringer’s name, address and telephone number, and a statement that the alleged infringer consents to the jurisdiction of the federal district court for the judicial district in which the alleged infringer is located and that the alleged infringer will accept service of process from the complainant.

II.C.7.  Resolution.  The UF DMCA agent should work with the alleged infringer to obtain any missing components of the counter-notification.  When the counter-notification is complete, the UF DMCA agent will forward it to the complainant, along with a notification that the removed material may be restored in ten business days unless legal action is commenced against the alleged infringer. If the complainant fails to notify the UF DMCA agent that it has initiated legal proceedings within ten business days after receiving a counter-notification, the UF DMCA agent will notify the Level 2 Unit ISM that the material may be returned to public distribution. II.C.8.  Closure.   UFIRT reviews DMCA incidents in the tracking system and closes tickets as appropriate.  UFIRT has primary authority in response decisions for UF DMCA incidents and coordinates incidents from discovery through resolution and closure.  UFIRT can be contacted with any questions regarding incident response.

II.D.  Incident Response Procedures for Violations of the UF Acceptable Use of Computing Resources policy (AUP)

Examples: excessive or disruptive use, complaint, spam, inappropriate content, suspicious activity.

II.D.1.  Discovery.  IT workers that identify violations of the UF Acceptable Use of Computing Resources policy should take action as reasonably necessary to protect UF and IT resources, and notify the violator of the action.

II.D.2.  Documentation.  UFIRT documents AUP violations in a tracking system.

II.D. 3.  Notification.  Contacts for AUP violations detected by UFIRT are identified using the UF Network Services subnet and domain contact resources (https://net-services.ufl.edu/ns/cgi-bin/subnet-form.cgi).   The UFIRT notifications may be augmented as needed to include staff with appropriate knowledge and skills. Appropriate contacts are notified and recorded in the tracking system.   The Level 2 Unit ISM will be copied on all notifications.  Follow the URL in the notification to a web form that is to be used for entering updates about the incident.  If no URL is provided, contacts must respond to the original notification, including content of the original notification, to acknowledge receipt, containment and commencement of the investigation. If any incident involves unauthorized disclosure or acquisition of private data, UF and Level2 Unit ISMs must notify the UF Privacy Officer.  The privacy officer will direct notification to university administration, law enforcement and other parties as appropriate. Law enforcement should be notified immediately of incidents involving threat to persons or property.  OGCshould be consulted regarding other incidents before contacting law enforcement.  UF and applicable subsidiary Level 2 Unit ISMs must consult with the Level 2 Unit ISA and the UF Office of General Counsel (OGC) to determine if law enforcement should be notified.  When incidents involve law enforcement, contact the University Police Department (UPD) and the OGC.   IT workers do not make disciplinary decisions unless they supervise the violator.  If the incident involves a student, notify Student Judicial Affairs (SJA). If the incident involves an employee, notify the appropriate Dean, Director or Department Head.  In all events, follow UF disciplinary procedures defined by UFHuman Resources. UF and Level 2 Unit ISMs must notify NAPA of any incident likely to draw public interest.  Individual units might have public relations contacts that must be notified of incidents likely to draw public interest; for more information consult your Level 2 Unit ISM.UFIRT must be notified when any unit discovers an incident that poses a potential threat to other IT resources or crosses Level 2 Unit boundaries to impact other units.  The Level 2 Unit ISM must be notified regarding any incident within their unit. The Level 2 Unit ISM must be notified regarding any incident within their unit.

II.D.4.  Acknowledgment.  UFIRT notifications should be acknowledged immediately.

II.D.5.  Containment.  AUP violations must be contained immediately.  Unless further investigation requires unrestricted access, all other violators must be contained as soon as possible, but no later than the same business day in which the notification is received.  Service might be interrupted to violators that are not contained on the same business day. Containment can be achieved by immediately disconnecting the user from the network, revoking user access, or other means as appropriate. Unit IT workers may coordinate with the UFIRT to restrict access to violators that can’t be immediately disconnected or must remain connected in a restricted environment for the purpose of investigation or providing service.  UFIRT has the authority to coordinate with appreciate resources to block violators that present a danger to the rest of the network.

II.D. 6.  Investigation.  If the incident involves law enforcement, secure evidence without reviewing additional content.  Network hardware, software or data may be considered evidence.  Care must be taken to preserve evidence.  A public records request, subpoena, warrant or other official request must be issued before data is released to law enforcement.  Contact OGC to review public records requests, subpoenas, and warrants before responding.  Evidence from incidents that involve an immediate threat to persons or property may be provided to law enforcement in advance of a public records request, subpoena or warrant, but OGC should be contacted if time allows. UFIRTmust be informed of incident investigation details.  Using the URL provided in the original notification, IT workers should access a web form for entering details about the incident investigation.  When saved, this form will automatically notify UFIRT and update the tracking system.  If no URL is provided, contacts must respond to the original notification, including content of the original notification, to provide details of the investigation.  Using the investigation details provided by IT workers, UFIRT classifies incident severity.

II.D. 7.  Resolution.  UFIRT must be informed of incident resolution details.  Using the URL provided in the original notification, IT workers should access a web form for entering details about the resolution.  When saved, this form will automatically notify UFIRT and update the tracking system.  If no URL is provided, contacts must respond to the original notification, including content of the original notification, to acknowledge the resolution.  The incident classification must be entered in the ticket before the status is changed to Resolved.  Using the resolution details provided by IT workers, UFIRT classifies incident severity.

II.D.8.  Closure.  UFIRT reviews the tracking system and closes tickets as appropriate.  UFIRT has primary authority in response decisions for UF IT security incidents and coordinates incidents from discovery through resolution and closure.  UFIRT can be contacted with any questions regarding incident response.

II.E.  Incident Response Procedures for Suspicious Activity

Examples:  sweeps, scans, unusual connections, excessive bandwidth consumption

II.E.1.  Discovery.  UFIRT receives and processes discovery notifications from other sources.  UFIRT manages systems to discover suspicious activity on the UF network.  Units are responsible to deploy systems to detect suspicious activity within their unit as needed.  Units must notify UFIRT of suspicious activity discovered in their unit that has the potential to impact other units. If one UF unit becomes aware of a suspicious activity in another UF unit, the manager of the network containing the suspicious resource should be notified, and the UFIRT and the Level 2 ISM for that unit should be copied.  Network manager contact information is maintained by UF Network Services (https://net-services.ufl.edu/ns/cgi-bin/subnet-form.cgi).

II.E.2. Documentation.  UFIRT documents suspicious activity in a tracking system.

II.E. 3.  Notification.  When suspicious activity is discovered by the UF Incident Response Team, appropriate contacts are notified.  Contacts for suspicious activity detected by UFIRT are identified using the UF Network Services subnet and domain contact resources (https://net-services.ufl.edu/ns/cgi-bin/subnet-form.cgi).  The UFIRT notifications may be augmented as needed to include staff with appropriate knowledge and skills. Appropriate contacts are notified and recorded in the tracking system.   The Level 2 Unit ISM will be copied on all notifications.  Follow the URL in the notification to a web form that is to be used for entering updates about the suspicious activity.  If no URL is provided, contacts must respond to the original notification, including content of the original notification, to acknowledge receipt, containment and commencement of the investigation. If any incident involves unauthorized disclosure or acquisition of private data, UF and Level2 Unit ISMs must notify the UF Privacy Officer.  The privacy officer will direct notification to university administration, law enforcement and other parties as appropriate. UF and Level 2 Unit ISMs must notify the UF Vice Provost for Information Technology (VPIT) of any incident that impacts mission critical service to the institutional level.  Law enforcement should be notified immediately of incidents involving threat to persons or property.  OGC should be consulted regarding other incidents before contacting law enforcement.  UF and applicable subsidiary Level 2 Unit ISMs must consult with the Level 2 Unit ISA and the UF Office of General Counsel (OGC) to determine if law enforcement should be notified.  When incidents involve law enforcement, contact the University Police Department (UPD) and the OGC.   IT workers do not make disciplinary decisions unless they supervise the violator.  If the incident involves a student, notify Student Judicial Affairs (SJA). If the incident involves an employee, notify the appropriate Dean, Director or Department Head.  In all events, follow UF disciplinary procedures defined by UF Human Resources. UF and Level 2 Unit ISMs must notify NAPA of any incident likely to draw public interest.  Individual units might have public relations contacts that must be notified of incidents likely to draw public interest; for more information consult your Level 2 Unit ISM. UFIRT must be notified when any unit discovers an incident that poses a potential threat to other IT resources or crosses Level 2 Unit boundaries to impact other units.  The Level 2 Unit ISM must be notified regarding any incident within their unit. The Level 2 Unit ISMmust be notified regarding suspicious activity within their unit.

II.E.4.  Acknowledgment.   UFIRT notifications should be acknowledged immediately.

II.E.5. Containment.  Suspicious activity should be contained as appropriate until the investigation is complete or the incident is resolved.  Containment can be achieved by immediately disconnecting the resource from the network, revoking user access, or other means as appropriate. Unit IT workers may coordinate with the UFIRT to restrict access to compromised hosts that can’t be immediately disconnected or must remain connected in a restricted environment for the purpose investigation or providing service.  UFIRT has the authority to coordinate with Network Services to block compromised services and/or hosts that present a definitive danger to the rest of the network.  Notification will follow the procedures outlined in the Service Interruption Notification section above.

II.E. 6. Investigation.  Investigation includes analysis and identification.

  1. Analysis.  Suspicious activity must be assessed.
    1. http://sans.org/resources/winsacheatsheet.pdf
    2. http://www.sans.org/score/checklists/ID_Windows.pdf
    3. http://www.sans.org/score/checklists/ID_Linux.pdf
  2. Identification.  Identify source as appropriate, including user, host or other resource.

UFIRT must be informed of investigation details.  Using the URL provided in the original notification, IT workers should access a web form for entering details about the investigation.  When saved, this form will automatically notify UFIRT and update the tracking system.  If no URL is provided, contacts must respond to the original notification, including content of the original notification, to provide details of the investigation.

II.E.7.  Resolution.  Suspicious activity must be resolved as soon as possible, preferably the day of the notification. Refer to the incident response procedures for Compromised IT Resources if the suspicious activity is found to be a compromise. UFIRT must be informed of resolution details.  Using the URL provided in the original notification, IT workers should access a web form for entering details about the resolution.  When saved, this form will automatically notify UFIRT and update the tracking system.  If no URL is provided, contacts must respond to the original notification, including content of the original notification, to acknowledge the resolution.

II.E.8.  Closure.  UFIRT reviews the tracking system and closes tickets as appropriate.  UFIRT has primary authority in response decisions forUF IT security incidents and coordinates incidents from discovery through resolution and closure.   UFIRT can be contacted with any questions regarding incident response.

III.  Additional Incident Response Standards, Procedures, and Guidelines

III.A.  Critical IT Resources Standard

A critical IT resource is vital to the function of UF or the unit. It might store sensitive data, confidential data, or data protected by law. Critical IT resources may need special consideration with respect to risk assessment, service interruption, and notification. Systems classified as critical IT resources must meet the minimum standards of a production server as defined in UF Network and Host Security Standard. Critical IT resources must have an IT Continuance of Operations Plan (ITCOP) that details risk assessment, service interruption, and notification procedures.  To be registered, critical IT resources must have IT personnel resources available 24 hours per day, 7 days per week.

III.B.  Critical IT Resource Registration Procedures

Level 2 Unit ISMs can submit a written request to register critical IT resources with the UF ISM. All submissions for classification as a critical IT resource will be reviewed by the ITAC-ISM and considered for approval by the UF ISM.  An ITCOP must be filed with the UF ISM detailing risk assessment, service interruption, and notification procedures.

III.C.  Service Interruption Notification Procedures

Level 2 Unit ISMs will be notified prior to or concurrent with a service interruption applied as the result of a security incident.  Notification attempts will be made to Level 2 Unit ISMs and/or network managers, or their designees, directly by phone, beeper, or email, in that order.  Accordingly, notification may be made by way of net-managers-l@lists.ufl.edu when multiple hosts from varied networks are affected.   An effort will be made to avoid disruption of service in cases not involving outgoing attacks.

III.D.  Incident Tracking Standard

All security incidents involving UF IT resources must be tracked.  The UF incident tracking system is intended to monitor progress toward incident resolution and to store data that can be used for incident trend analysis.  To ensure accountability and assessment, the UF ISM will provide incident trend analysis to the UF ISA every month or as needed. The UF IT Security Team maintains an IT security incident tracking system for incidents that it processes.  UF units should implement a tracking system for incidents in their unit.  One ticket is created for each individual IP address or virtual domain name, or each GatorLink account.  An IP address might have more than one ticket open at one time for different incident types, for example one host might have a vulnerability ticket and a compromise ticket.  Multiple tickets might also be opened for a single IP address if more than one distinct event of the same type occurs, for example if a host is compromised by different intruder at a different time before the first incident is resolved.  Ticket status may be changed at the discretion of the UF ISM or their designee. Security incident tickets contain the following information, but are subject to change:

  1. Contacts:  A list of all contacts notified about the incident.  Most contacts are identified using the Network Services contact database.
  2. Unit name:  If the ticket is for a GatorLink account, then no unit name is identified.
  3. Diary:  Incident details must be recorded each time the ticket is updated.
  4. Filter: Relevant information about filters associated with an incident are tracked.
  5. Incident status
    • New: Opened, but not assigned to individual on UFIRT.
    • Assigned:  Responsibility assigned to individual on UFIRT.
    • Contained:  Threat is contained usually via some form of access restriction, but incident is not fully resolved.
    • Dormant:  Contacts did not respond to the UFIRT notification and no further activity was observed for one month.  The status of tickets with associated filters can not be changed to Dormant.
    • Resolved:  All appropriate actions have been completed.
    • Closed:  UFIRT concurs that the incident is resolved.
    • False Positive:  Erroneous ticket.
  6. Incident severity classification (see Incident Classification Guidelines below)
    • Class 3:  Any of the following.
      • Critical Data
      • Involves serious legal issues
      • Service disruption impacting institution
      • Active threat
      • Widespread
      • Public interest
    • Class 2:  Not Class 3 and any of the following.
      • Sensitive Data
      • Involves less serious legal issues or potential for legal issues
      • Service disruption impacting unit or potential for disruption impacting institution
      • Potential for threat
      • Somewhat widespread
      • Potential for public interest
    • Class 1:  Not Class 3 or Class 2.
      • Unrestricted Data
      • No legal issues
      • No potential for service disruption impacting institution
      • No threat
      • Not widespread
      • No public interest
  7. Incident type
    • Vulnerability
    • Compromise/Attack
    • DMCA violation
    • AUP violation
    • Suspicious activity
    • Other
  8. Operating systems of host
    • Windows
    • Macintosh
    • Unix
    • Unknown/Other
III.E.  Incident Severity Classification Guidelines

Incident severity classifications are described below.  Severity classifications are used for incident trend reporting.  If there is any doubt about the classification of an incident, the higher severity classification should be used.  Incident classifications may be changed at the discretion of the UF ISM or their designee.  The following criteria are evaluated to determine incident classification.

  1. Data classification
  2. Legal issues
  3. Magnitude of service disruption
  4. Threat potential
  5. Expanse
  6. Public interest

To determine the severity classification for the incident tracking systems, IT workers are asked to affirm the following assertions regarding each incident in their unit.

  • There is a reasonable expectation that critical data was acquired by an unauthorized person as a result of this incident.
  • There is a reasonable expectation that sensitive data was acquired by an unauthorized person as a result of this incident.
  • There is reasonable expectation that confidential or security-related information was acquired by an unauthorized person.
  • Data protected by privacy legislation is involved.
  • Disclosure of UF intellectual property is involved.
  • This incident involves legal violation(s).
  • This incident impacts UF mission critical services.
  • There is strong potential this incident might impact UF mission critical services.
  • There is active public interest in this incident.
  • There is strong potential for active public interest in this incident.
  • Hosts involved in this incident are actively attacking other hosts.
  • There is strong potential for attack from hosts involved in this incident.
  • This incident is widespread (over 10% of unit or greater than 100 hosts campus-wide).
  • This incident is somewhat widespread (3-10% of unit or 10-100 hosts campus-wide).
Class 3:  Highest Severity

If the answer is ‘yes’ to any of the following questions regarding an incident, then it is a Class 3 incident.

  1. Data security.  Is there a reasonable expectation that critical data as defined in the UF Data Security Standard was acquired by an unauthorized person as a result of this incident?
    1. Are data protected by privacy rules or legislation involved?  For example:
      1. Non-directory student data as defined in FERPA
      2. Social Security Number
      3. Bank account, credit card, or other private financial information
      4. Florida drivers license number
      5. Any medical records or protected health information as defined in HIPAA 
      6. Limited access records as defined by UF Rule 6C1:1.019
    2. Is intellectual property involved?  For example:
      1. UF trade secrets
    3. Are other data security issues involved?  For example:
      1. Passwords, risk assessments, or other security-related data.
      2. Data restricted by legal contracts, memorandums of understanding, or other agreements.
      3. Data, if available to unauthorized users, will cause harm to an individual, a group or the institution.
  2. Legal issues.  Does this incident involve any legal violation?
    1. Threat to persons or property
    2. Theft greater than $10,000
    3. Child pornography
    4. Copyright violations
      1. Warez server
      2. Unauthorized P2P server of music, movies, or other content protected by copyright
  3. Magnitude of service disruption.  Does this incident impact UF mission critical services?
  4. Threat.  Are hosts involved in this incident actively attacking other hosts?
  5. Expanse.  Is this incident widespread (over 10% of unit or greater than 100 hosts campus-wide)?
  6. Public interest.  Is there active public interest in this incident?
Class 2:  Medium Severity

If the answer is ‘no’ to all of the Class 3 questions above, but ‘yes’ to any of the following questions, then it is a Class 2 incident.

  1. Data Security.  Is there a reasonable expectation that Sensitive data as defined in the UF Data Security Standard was acquired by an unauthorized person as a result of this incident?  For example:
    1. Infrastructure diagrams such as building and network
    2. Strategy documents
    3. Financial information
    4. Purchasing information
    5. Policies, standards, and procedures
    6. Business recovery plans
    7. System configurations
    8. Emergency response plans
    9. Emergency equipment inventories
  2. Legal issues.  Does this incident involve a legal violation?  For example:
    1. Theft less than $10,000
    2. Harassment
  3. Magnitude of service disruption.  Is it likely that this incident will impact UF mission critical services?
  4. Threat.  Is an attack likely to occur from hosts involved in this incident?
  5. Expanse.  Is this incident somewhat widespread (3-10% of unit or 10-100 hosts campus-wide)?
  6. Public interest.  Is there likely to be public interest in this incident?
Class 1:  Lowest Severity

If an incident meets the definition in the UF IT Security Incident Response Standard above and if the answer is ‘no’ to all of the Class 2 and Class 3 questions above, then it is a Class 1 incident.

IV.  Appendix

IV.A.  Summary of Response Procedures for Incidents Involving Law Enforcement

Examples: obscenity, stalking, threat to persons or property,  child pornography, unauthorized access.

IV.A.1.  Evidence retention.  Secure evidence without reviewing additional content.  Network hardware, software or data may be considered evidence.  Care must be taken to preserve evidence.

IV.A.2.  Evidence release.  A public records request, subpoena, warrant or other official request must be issued before data is released to law enforcement.  Contact OGC to review public records requests, subpoenas, and warrants before responding.  Evidence from incidents that involve an immediate threat to persons or property may be provided to law enforcement in advance of a public records request, subpoena or warrant, but OGC should be contacted if time allows.

IV.A.3.  Notifications.  If any incident involves unauthorized disclosure or acquisition of private data, UF and Level2 Unit ISMs must notify theUF Privacy Officer.  The privacy officer will direct notification to university administration, law enforcement and other parties as appropriate.UF and Level 2 Unit ISMs must notify the UF Vice Provost for Information Technology (VPIT) of any incident that impacts mission critical service to the institutional level.  Law enforcement should be notified of incidents involving an immediate threat to persons or property.  OGC should be consulted regarding other incidents before contacting law enforcement.  UF and applicable subsidiary Level 2 Unit ISMs must consult with the Level 2 Unit ISA and the UF Office of General Counsel (OGC) to determine if law enforcement should be notified. When incidents involve law enforcement, contact the University Police Department (UPD) and the OGC.   If the incident involves a student, notify Student Judicial Affairs (SJA). If the incident involves an employee, notify the appropriate Dean, Director or Department Head.  IT workers do not make disciplinary decisions unless they supervise the violator.  If the incident involves a student, notify Student Judicial Affairs (SJA). If the incident involves an employee, notify the appropriate Dean, Director or Department Head.  In all events, follow UF disciplinary procedures defined by UF Human Resources. UF and Level 2 Unit ISMs must notify NAPA of any incident likely to draw public interest.  Individual units might have public relations contacts that must be notified of incidents likely to draw public interest; for more information consult your Level 2 Unit ISM. UFIRT must be notified when any unit discovers an incident that poses a potential threat to other IT resources or crosses Level 2 Unit boundaries to impact other units.  The Level 2 Unit ISM must be notified regarding any incident within their unit. The Level 2 Unit ISM must be notified regarding any incident within their unit.

IV.B.  Summary of Incident Response for Legal Issues

Examples: defamation, civil fraud, harassment, disclosure of intellectual property or UF trade secrets.

IV.B.1.  Evidence retention.  Secure evidence without reviewing additional content. Contact the Office of the General Counsel.

IV.B.2.  Notifications.  If any incident involves unauthorized disclosure or acquisition of private data, UF and Level2 Unit ISMs must notify theUF Privacy Officer.  The privacy officer will direct notification to university administration, law enforcement and other parties as appropriate.UF and Level 2 Unit ISMs must notify the UF Vice Provost for Information Technology (VPIT) of any incident that impacts mission critical service to the institutional level.  IT workers do not make disciplinary decisions unless they supervise the violator.  If the incident involves a student, notify Student Judicial Affairs (SJA). If the incident involves an employee, notify the appropriate Dean, Director or Department Head.  In all events, follow UF disciplinary procedures defined by UF Human Resources. UF and Level 2 Unit ISMs must notify NAPA of any incident likely to draw public interest.  Individual units might have public relations contacts that must be notified of incidents likely to draw public interest; for more information consult your Level 2 Unit ISM. UFIRT must be notified when any unit discovers an incident that poses a potential threat to other IT resources or crosses Level 2 Unit boundaries to impact other units.  The Level 2 Unit ISM must be notified regarding any incident within their unit. The Level 2 Unit ISM must be notified regarding any incident within their unit.

IV.C.  Summary of Internal and Public Communication Notification Procedures

Upon receipt of notifications from UFIRT, units must response as directed in the notification.  All units must notify UFIRT immediately upon discovery of security incidents in their unit that impact resources outside their Level 2 Unit boundary. If any incident involves unauthorized disclosure or acquisition of private data, UF and Level2 Unit ISMs must notify the UF Privacy Officer.  The privacy officer will direct notification to university administration, law enforcement and other parties as appropriate. UF and Level 2 Unit ISMs must notify the UF Vice Provost for Information Technology (VPIT) of any incident that impacts mission critical service to the institutional level. When evidence of a possible crime is discovered, IT workers should report it to their supervisors.  Supervisors should escalate communication through normal channels in their unit, but must contact their Level 2 Unit ISA or ISM.  The Level 2 Unit ISM must be notified regarding any incident within their unit.  Units should establish appropriate communication standards between the Level 2 Unit ISA and Level 2 Unit ISM regarding all incidents.  TheUF ISM and applicable subsidiary Level 2 Unit ISMs should consult with the UF Office of General Counsel (OGC) before reporting an incident to law enforcement unless there is an immediate threat to persons or property.  UF and Level 2 Unit ISMs must consult OGC before responding to public records requests, subpoenas, warrants or other requests for assistance from law enforcement unless there is an immediate threat to persons or property. UF and Level 2 Unit ISMs should consult OGC if there is any doubt about whether an incident should be reported to law enforcement.  Law enforcement should be notified of incidents involving:

  • Threats to persons or property
  • Damages in excess of $10,000
  • Child pornography

Other incidents should be reported to law enforcement according to the judgment of the UF ISM or the Level 2 Unit ISM. Individual units might have public relations contacts that must be notified before responding to any inquiry from the press; for more information, consult your Level 2 Unit ISM.  UF and Level 2 Unit ISMs must consult News and Public Affairs (NAPA), who have authority over all UF public communications, before responding to any inquiry from the press.  UF and Level 2 Unit ISMs must consult NAPA regarding any incident that draws public attention or is expected to draw public attention.  Units should coordinate with the UF ISM and New and Public Affairs to create a public communication plan for any incident likely to attract public interest.  For more information on guidelines for preparing a public communication plan or responding to public inquiries, contact the UF ISM or their designee.

References

Forensics