Computer Security Incident FAQs
Security Incident FAQ Main Page
Security Breach Procedures
What do I do if I suspect my system is compromised?
1. Disconnect it from the network. Simply unplug the ethernet cable from the wall, or if using wireless, either disable the wireless card or physically pull it out of the socket. This will prevent an attacker from remotely launching programs on your system - doing further damage - and from using it to attack other systems.
Note: Do NOT turn off, reboot or attempt to repair your computer until you have determined whether high-risk PNPI was at risk. It is possible that processes started by an attacker may not get restarted after rebooting, which will make it more difficult to assess and fix the problem. In addition, dormant programs left on the machine may be started during reboot. Leave your computer on and disconnected from the network unless otherwise instructed.
2. Determine whether unencrypted high risk personal non-public information (PNPI - e.g., Social Security or credit card numbers is stored on, or accessible from (e.g., via a networked drive) the system.
3. Preserve system logs and other data that might be useful in tracking the source and nature of the intrusion. Log information on your compromised machine may provide clues as to the nature, extent and source of the attack. By preserving your system logs and relevant data, you can help UD IT Security determine if personal information was actually taken during the breach. Also, if the attack is widespread, well preserved system data can help trace the breach back to the source for a possible legal investigation.
4. Send email to firstname.lastname@example.org. Be sure to state whether high-risk PNPI is contained on the system, in addition to the machine' location, IP address, symptoms and chronolog of events, contact person and any other information relating to the suspected event. If PNPI is present, you are required to preserve all information related to the breach. Nothing is to be removed or altered as to make it impossible to know whose Social Security or credit card numbers, or other high risk personal information might have been taken (e.g., data files, system logs and other data that might be useful in investigating the extent of PNPI stolen during the breach). IT User Services will be referred to the case to conduct an assessment of the incident to determine if PNPI was likely viewed and/or taken as a result of the security breach. See University Policy 1-22 Personal Non-Public Information Policy for more information.
5. Await follow-up from your CITA or IT User Services. You will receive a response from UD IT Security with further instructions and inquiries regarding your case.
6. Your port will be re-enabled after the PNPI assessment is complete and your system has been cleaned.
Questions / comments?