Security Incidents: What you should do
When we detect a virus or malware on L&S computers, we will take immediate action and send the affected user(s) an email asking them to take the following three steps. These measures are necessary to preserve the integrity of their data and to prevent further spread/access of the malware before we can schedule an appointment to pick up the infected computer.
- Immediately save and close any open documents and promptly shut down your computer. Please make available any USB flash drives or external hard drives that have been recently connected to the computer as we will require them as part of our security response.
- Do not access, move, or copy any files or programs before an L&S IT employee can look at your computer in order to preserve forensic information used to determine the impact of the intrusion.
- Please provide your availability or the availability of the computer’s location for retrieval of the computer for our forensics and security rebuild procedure along with a list of the computer’s primary users.
When we arrive to retrieve your computer, a technician can safely copy specific documents that are needed to a location of your choosing. In the event you do not have access to another computer, we can provide a loaner laptop.
Ensure your ePanther account password has been changed. Malicious software is often used to steal passwords. Do not change your password on the compromised computer.
Security Incidents: What we will do
For all security incidents, our office will undertake the following procedures as endorsed by UWM’s Office of Security Administration:
- Collect a forensic snapshot of your computer, which includes system logs and timestamps for all files on the computer. This data is crucial in determining how the computer was compromised and to determine if any sensitive data was accessed by a third party.
- Take a comprehensive backup of all data stored on the computer. Preservation of your data is our top priority.
- Identify sensitive data (e.g., social security numbers and credit card numbers) and analyze the potential security breach.
- Rebuild the computer to ensure complete removal of all malware.
- Installation of the latest Windows 7 image
- Restoration of backed up data
- Reinstallation of university provided/funded software
- At the deployment of your computer we will go through our verification process with you to ensure your computer is set up with all of your existing resources and settings.
- Remain vigilant in e-mail use, exercising extreme caution in the opening of e-mail attachments. Hackers are increasingly resorting to sophisticated “social engineering” tactics to convince victims of the legitimacy of their e-mail messages:
- “spoofing” the address of the e-mail sender — to make the message appear to have been sent from a legitimate e-mail account;
- using logos in e-mail messages — to enhance their apparent authenticity;
- using text borrowed from earlier, legitimate e-mail messages — also to enhance the apparent authenticity of their bogus e-mail messages; and
- targeting particular e-mail lists of high-value targets — e.g., a UWM database query-writers list was specifically targeted, presumably with the hacker’s understanding that the subscribers to that list routinely accessed sensitive/confidential data.
- Back up all critical data. Data can be saved to pantherFile, external drives (USB memory keys, hard drives, etc.), or network-based storage, if available to the particular user.
- Respond promptly, as directed, to any notices from the College’s “Identity Finder” service. For more information on the function and use of Identity Finder in L&S, please view the 1-page Identity Finder Handout or the comprehensive Identity Finder Guide.
- Be mindful of any “virus alert” notices from the College’s “IT@L&S” e-newsletter
- Be mindful of UWM’s Guidelines, Policies & Standards related to IT Security (including FERPA, HIPAA, PCI standards, etc.).
- In the event of suspected virus infection, immediately turn off your computer and immediately contact LSITO, through: the 4040 helpline, firstname.lastname@example.org, or, for the most rapid response, our Request Support web form (accessed from another, non-infected computer).
Security Best Practices
LSITO recommends these general practices to enhance the security of L&S computers and their data: