Information Security

Guidelines for Handling a Compromise

1. Breathe, don't panic.
2. Ask the user if there is any credit card number, social security card number, or sensitive data on the host.
3. Consult with Network Security, find out what was reported.
4. Unplug the computer from the jack.
5. Make an image of the disk and/or make a copy of all vital data that hasn't been backed up.
6. Assess the intrusion, use the checklists and assessment tool links on the left.
7. Take notes.
8. Recover from the intrusion:
9. • Virus infections can be cleaned by running the anti-virus cleanup programs.
   • For trojans, worms and root kits - 99% of the time, you will need to reformat the hard drive, reload programs from original media, reload data from the last known good backup and change ALL passwords.
   • Disable unnecessary services.
   • Install security patches for the operating system and applications.
   • Change all passwords.
   • Take some measures to improve the security of your system. Refer to our security standards for current best practices.
10. Email Network Engineering with a detailed list of what's been done to clean and secure the computer. Network Engineering will unrestrict the computer and run a security scan.
11. System Administrators and FSPs are not responsible for dealing with the public nor the police.

Important guidelines for compromised systems include:

• CERT/AusCERT Windows Intruder Detection Checklist
• CERT/AusCERT UNIX Intruder Detection Checklist
• CERT/AusCERT Steps for Recovering from a Unix or NT/W2K System Compromise

Tufts Home | Inside Tufts | Contact University Information Technology
Privacy/Security Notices | Updated April 30 2008
© 2008 Trustees of Tufts College. All rights reserved.