Technology Guidelines

 

Reporting Security Incidents

Version: 1.0

Status: Approved: March 1, 2005
Contact: Jason Richards

Last Update: 05/05/08

PURPOSE

The purpose of these guidelines is to provide the colleges of the Virginia Community College System with guidance for complying with Commonwealth’s legislative directive that requires executive branch agencies to report selective security incidents to VITA.

SCOPE

 

 This guideline establishes the steps that must be followed in identifying and reporting security incidence to the VCCS Information Technology Services Office.

 

APPLICABILITY

This guideline is applicable to the System Office, Featherstone Professional Center, Greenfield Education and Training Center, Northern Virginia Community College ITS Work Center, and the twenty three community colleges including all off campus locations.

DEFINITION

The Code of Virginia 2.2-603.G, listed below, describes the reporting requirements agencies must follow.

2.2-603 Authority of agency directors.

G. (Effective January 1, 2005) The director of every department in the executive branch of state government shall report to the Chief Information Officer as described in 2.2-2005, all known incidents that threaten the security of the Commonwealth’s databases and data communications resulting in exposure of data protected by federal or state laws, or other incidents compromising the security of the Commonwealth’s information technology systems with the potential to cause major disruption to normal agency activities. Such reports shall be made to the Chief Information Officer within 24 hours from when the department discovered or should have discovered their occurrence.

GUIDELINE

The VCCS Information Technology Services Office at the System Office will coordinate security incidence reporting for the community college system. Currently all security related incidents from VCCS network address (164.106.0.0) to other networks are reported to Abuse@vccs.edu. These incidents are reviewed by the VCCS ITS Network staff and then forwarded to the reported college’s Information Technology staff for review, action and final resolution.

For reporting purposes and to comply with the Commonwealth’s Legislative Directive, all colleges must follow the procedure outlined above for reporting security related incidents that target the (164.106.0.0) network. Incidents should be reported by sending an email to Abuse@vccs.edu or by opening an Issue Trak ticket assigned to Network/Abuse. The following information should be included when reporting an incident.

Date/time of incident, incident description, impact of incident, severity of attack

(e.g. high, medium, low, unknown), sensitivity of data (e.g. high, medium, low,

unknown), steps taken to respond to attack, and who else has been notified.

If the Issue Trak application is not available, please call Client Services at 804.423.6757 and request that a ticket be opened with the appropriate information provided.

The following section covers VITA’s Guidance on Reporting Incidents and should be followed in reporting all security incidences to this office. If you have any questions, please feel free to contact Jason Richards via email at jrichards@vccs.edu, or by phone at 804-819-4993.

 

VITA’s Guidance on reporting incidents

The purpose of this section is to provide information that may be helpful in incident reporting. Incidents will happen and the ability to quickly identify and act in a coordinated manner can lessen the impact of an incident. The incident reporting form is an important first step in handling incidents in a coordinated response.

 

Definitions
Incident:

Incident refers to an adverse event in an information system, network, and/or workstation, or the threat of the occurrence of such an event

 

 

 Event:

An event is any observable occurrence in a system, network, and/or workstation. Although natural disasters and other non-security related disasters (power outages) are also called events, these reporting requirements are for IS security related events only. Events can many times indicate an incident is happening.

What to Report

An "information security incident" should be reported if:

  1. it was intentional and successful AND

  2. it resulted in either:

  1. exposure of legally protected data in Commonwealth databases, such as financial information protected by GLBA, health information protected by HIPAA;

    OR

  1. major disruption to normal agency activities carried out via Commonwealth data communications, such as network unavailability for all or significant portions of an agency due to a denial of service (DOS) attack.

You should report events that have a real impact on your organization. A security incident includes, but is not limited to the following events regardless of platform or computer environment:

When damage is done Access is achieved by the intruder
Loss occurs Web pages are defaced
Malicious code is implanted When you detect something noteworthy or unusual (new traffic pattern, new type of malicious code, specific IP as source of persistent attacks).
Evidence of tampering with data Denial of service attack on the agency
Other incidents that could undermine confidence and trust in the Commonwealth’s information technology systems Unauthorized access or repeated attempts at unauthorized access (from either internal or external sources)
Threat or harassment via electronic medium (internal or external) Virus attacks which adversely affect servers or multiple workstations

Do not report routine probes, port scans, or other common events.

 

Clues for determining a security incident

The following are clues that a security incident may be in progress, or one may have already occurred. These indicators can have legitimate explanations and be part of day-to-day operations. The key in determining whether a suspected event is a legitimate event or is actually a security incident is recognizing when things happen without an explanation, events that are contrary to your policies and procedures. The key word to using these indicators is "UNEXPLAINED."

  1. Unsuccessful logon attempts

  2. Accounting/system/network logs discrepancies that are suspicious (e.g., gaps/erasures in the accounting log in which no entries whatsoever appear; user obtains root access without going through the normal sequence necessary to obtain this access)

  3. "Door knob rattling" (e.g., use of attack scanners, remote requests for information about systems and/or users, or social engineering attempts)

  4. New user accounts not created by system administrators

  5. New files or unfamiliar file names

  6. Modifications to file lengths or dates (especially in system executable files)

  7. Attempts to write to system files or changes in system files

  8. Modification or deletion of data

  9. Changes in file permissions

  10. Logins into dormant accounts (one of the best SINGLE indicators)

  11. A system alarm or similar indication from an intrusion detection tool

  12. Denial of Service (DoS) (DDoS) (e.g. inability of one or more users to login to an account; inability of customers to obtain information or services via system)

  13. System crashes

  14. Abnormally slow or poor system performance

  15. Unauthorized operation of a program or sniffer device to capture network traffic (e.g., presence of cracking utilities)

  16. Unusual time of usage (remember, more security incidents occur during non-working hours than any other time)

  17. Unusual usage patterns (e.g., programs are being compiled in the account of a user who does not know how to program; use of commands/functions not normally associated with user's job)

  18. Physical theft and intrusion (e.g., theft of laptop computer with critical information)

Adverse Events Categories: (Note: These are not necessarily mutually exclusive.)

1.  Malicious Code Attacks.

         Attacks by programs typically written to masquerade presence and often difficult to detect. Include:

  1. Viruses

  2. Trojan horse programs

  3. Worms

  4. Scripts used by crackers/hackers to gain privileges, capture passwords, and/or modify audit logs.

2.  Unauthorized Access.
         Large range of incidents, including:

  1. unauthorized person logging into a legitimate user's account

  2. unauthorized access to files and directories (by capturing superuser privileges)

  3. a sniffer program to capture packets

3.  Unauthorized Use.
           Access to a user's account to perpetrate an attack is not absolutely necessary. Unauthorized use includes:

  1. using the network file system (NFS) to mount the file system of a remote server machine

  2. using the VMS file access listener to transfer files without authorization

  3. using inter-domain access mechanisms in Windows NT to access files and directories in another organization's domain

4.  Disruptions or Denial of Service.
          Disruptions to network and computing services. Include:

  1. erasing a critical program

  2. spamming (flooding accounts with email)

  3. altering system functionality (installing a Trojan horse)

5.  Misuse.
        Misuse can be intentional or unintentional. Misuse incidents and response are based on agency risk assessment and defined by agency policy. Include:

  1. use of a computing system for other than official purposes

  2. changes made to system hardware, firmware, or software characteristics without the agency's knowledge, instruction, or consent.

Computer Incident Reporting Form  -

Download and use this form to report security incidents. If additional information is required, please attach a word document.

 

Return to Security