In scanning the network, monitoring the Intrusion Detection System and addressing mail to abuse@duke.edu and security@duke.edu, the IT Security Office often becomes aware of a computer on campus that is either compromised or vulnerable to a known exploit. In such cases, Duke is obligated to remove the threat in order to protect other computers both on and off of campus.
For the purposes of this document, a computer is considered to be "compromised" if it is executing commands or programs at the direction of a unauthorized individual or agent (a hacker). A "vulnerable" computer is one that will allow a unauthorized individual or agent to run programs on the computer.
When the IT Security Office is made aware of a machine that has either been compromised or is vulnerable to compromise, the first step will be the classification of the incident. Such incidents can be broadly categorized as follows:
Category 1) Compromised computer actively causing problems for other computer or network users or a computer which is transferring confidential information at the direction of an unauthorized user or agent
Category 2) Compromised computer that is not actively causing problems (i.e. a compromised computer not in Category 1)
Category 3) Computer believed to be vulnerable to a known exploit
It should be noted that these classifications are fairly broad and some degree of subjective judgment is called for in making determinations.
After determining the nature of the incident, the IT Security Office will contact the system administrator(s) responsible for the computer. To ensure proper notification, the IT Security Office will maintain a system administrator accessible web page (location to be announced) containing the current contact information used for a given department, subnet or subdomain.
For incidents in Category 1, a compromised computer actively causing problems, it is expected that the administrator for the machine will take it off the network immediately.
For incidents in Category 2 it is assumed that the compromised computer will become the top priority for the administrator and that the machine will be taken offline and addressed as soon as possible. If there is a need for the machine to remain online after the notification, the administrator will respond to the Security Office giving an outline of what steps are currently being taken and how soon the machine will be repaired, in no case should this be longer than one week. If the compromised computer begins to cause problems, it will become a Category 1 incident and will be treated as such.
For incidents in Category 3, a computer believed to be vulnerable to a known exploit, handling the incident will be at the system administrator's discretion. If the machine is later compromised, then the machine will fall into one of the two incident categories above.
In the event that the notification of a Category 1 or Category 2 security incident receives no response the IT Security Office will have the machine removed from the network.
For Category 1 incidents, the IT Security Office may have the machine removed from the network within 15 minutes if there is no response.
For Category 2 incidents, a failure to respond will generate a second notification in 3 business days. If this second notification is not responded to in 2 business days, the machine may be removed from the network. Computers which remain compromised after 5 days from the date of the first notification are also subject to removal from the network. If during that time, the incident moves to a Category 1 incident, the machine may be pulled from the network immediately.
At the discretion of the Security Office, machines involved in Category 1 incidents may be left online for a longer period of time depending on the severity of the network abuse that is observed and the criticality of the computer involved. In no case shall this be longer than 5 days.
After a Category 1 or Category 2 incident, system administrators are encouraged to share details of the event with the rest of the system administrator community. To facilitate the information sharing, the IT Security Office will maintain a web page (location to be announced) that will allow system administrators to anonymously post details of the incident online. These postings will generate a notice to the CLAC mailing list which will include summary information about the new incident.
To adjust to the changing security environment, the procedure above is subject to revision. Before any such changes take effect, a request for comments will be made to the relevant information technology groups (CLAC, ITAC, etc). The current version of the procedure will always be posted on the IT Security Office's website (http://www.security.duke.edu/incident-procedure.html)