Reporting Suspected Sensitive Data Exposures

Time is critical

Immediately containing and limiting the exposure is first priority. In certain situations, we must notify the Indiana Attorney General within two business days of becoming aware of the incident. Also, individuals effected by such incidents expect expeditious notification so that they can monitor their accounts. The most common complaints after an incident are about how long it took the organization to contain the exposure and to send notifications. At Indiana University, our goal is to notify the individuals affected within one week of our becoming aware of the possible exposure.

Important notice about IT related incidents

If you suspect that a machine may be compromised and you know that it stores or processes sensitive data, please step away from the computer and do not use the system. That means that you should not do a network scan of the system, run antivirus software, patch the system, reboot, unplug any cables, nor power off the system. Two reasons are:

  • Your actions may inadvertently trample over important evidence, including the modify, access, and create times of files that the attacker viewed or touched
  • Your actions may tip off the attacker to know that you are aware that the machine is compromised. He or she may take action to remove evidence or delete files

As soon as the incident is suspected

In the event of a possible security incident concerning sensitive institutional or personal data, report the incident as follows:

  1. STEP AWAY from the computer
    • DO NOT touch it, or take any other action until advised by the Information Policy & Security Offices.
    • DO NOT attempt to login, or alter the compromised system.
    • DO NOT power it off.
    These actions will delete forensic evidence that may be critical to your incident.
  2. IMMEDIATELY CALL, no matter what time of day or night or weekday or weekend or holiday, until you get to a human. Try in this order:
    1. UISO directly at 812-855-UISO (8476) (business hours)
    2. UITS Support Center at 812-855-6789 (24x7)
    3. UITS Network Operations Center at 812-855-3699 (24x7)

    When you reach the Support Center or the Network Operations Center, ask staff to PAGE the University Information Security Office (UISO). A representative from UISO will then call you back.

    Please ALSO REPORT the incident yourself, using one of two methods:

    Please DO NOT simply leave voicemail or send e-mail - please ensure you reach a human, because it is CRITICAL that we begin response procedures immediately.

  3. DO NOT discuss the incident with any other parties until you are authorized. This is critical to ensure that only accurate information is disseminated, rather than suppositions or guesses as to what happened.
  4. Begin writing a detailed description to be shared with the Incident Team: what made you suspect the incident, what you know happened thus far, information on the machine and the data affected, and what actions have been taken so far.
  5. For production services such as web sites or applications, plan remedial action to restore service and when. Consider bringing up a new machine to host the site or posting a "down for maintenance" banner.

    NOTE:     take caution if restoring service from a backup — especially if you're uncertain when the compromise occurred. It's possible you could restore a backup snapshot taken after the compromise.

Investigation and Coordination

The UIPO and UISO are charged with the investigation and coordination of incidents where the loss, corruption, inappropriate disclosure, or exposure of information assets is suspected. When the UIPO and/or UISO are notified, an Incident Team will be assembled to advise and assist in containing and limiting the exposure, in investigating the incident, in obtaining the appropriate approvals, and in handling notification to the affected individuals and agencies.

The organizational unit experiencing the incident is fully responsible for allocating the resources needed to lead and achieve an appropriate and timely resolution of the incident. The unit experiencing the incident "owns" the response to the incident. The UIPO and UISO will provide oversight and guidance to the process to ensure a consistent, efficient and thorough response, and to ensure that all necessary approvals are received.

For more information on information security incident management at IU, see: Information Security Incident Management.

Collecting information about IT related incidents

If you find yourself involved in an incident involving IT systems, collecting the following information (if possible, and without using the system) will be helpful in the ensuing investigation:

  • IP address(es)
  • Hostname(s)
  • Operating system & version
  • Manufacturer, model, & serial number
  • Usernames of users and system administrators of the machine
  • Approx. date/time of compromise, if known
  • List of software installed
  • Attack vector (if you know/suspect a particular program/service)

The UISO has experienced and certified forensic engineers on staff in the event that an in-depth investigation is necessary, The time required to conduct an investigation will vary greatly from one incident to another; no two incidents are alike. Accurately collecting all necessary information is essential to a forensic investigation, and must remain a higher priority than returning equipment within a designated time frame. While a two week minimum is usually reasonable, please understand that it is only an estimate.

Security & Policy Blog Posts

  • May 17, 2013 at 12:52 PM

    • Critical Linux Kernel Security Update
    A local, unprivileged user can use a Linux kernel flaw to gain escalated privileges, without authentication, on a system running a Linux kernel. Technical details, as well as exploit code, have been publically released.
  • April 10, 2013 at 4:07 PM

    • S/MIME certificates available
    S/MIME certificates are now available to all IU personnel at no cost.
  • March 13, 2013 at 4:00 PM

    • Policy Draft IT-28 Provisioning of IT Services
    IU VP for IT and Chief Information Officer, Brad Wheeler, spoke at a town hall meeting on March 8th on the subject of, “Mitigating Cyber Risks,” including the current risk environment, and the development of IT-28.
  • March 1, 2013 at 5:06 PM

    • Domain 12: Compliance
    As Jacqueline Simmons explains, IU operates in a complex legal, regulatory, & contractual environment, with responsibilities to comply with applicable legal, regulatory, & contractual requirements regarding safeguards over information and information assets. Doing so protects the university's reputation & minimizes the risk of negative financial consequences associated with noncompliance.

    Recent Security Bulletins

  • February 12, 2013 at 11:03 AM

    • Vulnerabilities in Adobe ColdFusion
    This bulletin details four recently published, critical rated, vulnerabillies in Adobe ColdFusion and ways to mitigate the risk of them being exploited including the hotfix for supported versions.
  • January 22, 2013 at 9:02 AM

    • Java Security Recommendations
    As the use of Java applets on websites continues to diminish and in light of the rash of recent vulnerability exploits, the implications of installing Java for use in web browsers should be considered carefully.
  • January 10, 2013 at 1:59 PM

    • Zero Day Java 7 Vulnerability
    On January 10, 2013, security researchers reported a zeroday vulnerability in Oracle Java 1.7u10.
  • November 8, 2012 at 3:50 PM

    • Vulnerability in Symantec Endpoint Protection
    On November 5th, 2012, the United States Computer Emergency Readiness Team (US-CERT) website announced their researcher had discovered a vulnerability in the way some versions of Symantec Endpoint Protections handle CAB files. This vulnerability may allow an unauthenticated remote or local attacker to execute arbitrary code with SYSTEM privileges on a targeted computer.