Carnegie Mellon University

Procedure for Responding to a Compromised Computer

Purpose

The purpose of this Procedure is to provide step-by-step instructions for responding to an actual or suspected compromise of Carnegie Mellon's computing resources.

Applies To

This Procedure applies to anyone using Carnegie Mellon University's computing resources that suspects that the security or privacy of these resources has been compromised.  This Procedure also applies to situations where there has been no compromise but someone suspects their computing resources are actively being attacked.  This Procedure does not apply to computing resources owned by students.

Definitions

All terms and definitions in this document can be located in the Information Security Office Glossary

Regulatory Requirements

Carnegie Mellon University is required by various state and federal regulations to investigate any incident that may involve the breach of personally identifiable information.  Carnegie Mellon University is also required to notify an individual if the privacy of their personally identifiable information has been breached.  Failure to preserve evidence or conduct an investigation related to a compromised computer could result in unnecessary financial costs for the institution.  It is also important that the details of a compromise and the ensuing investigation remain confidential.  All communications related to a compromise should be coordinated with the Information Security Office and the Office of General Counsel.  Any contact with law enforcement should be immediately referred to or authorized by the Office of General Counsel. 

Procedure

The following steps should be taken to respond to an actual or suspected compromised computer:

  1. Does the computer have CrowdStrike Installed?

If the computer has CrowdStrike installed (Review instructions at https://www.cmu.edu/computing/services/security/secure/install/index.html#verify) you may skip Step 2 – Disconnect the computer from the network   You still need to make sure not to run commands on the computer (see below).

  1. Disconnect the computer from the network 

Disconnecting the computer from the local network prevents a potentially untrusted source from taking further actions on the compromised computer.  This also prevents any further leakage of Non-public information if that is a potential concern.  Shutting down the computer would also have this effect but could destroy evidence that is essential to investigating the compromise.  Similarly, rebuilding the computer would destroy all evidence pertinent to an investigation. 

It is important that NO further commands or actions be taken on the related Information System. Doing so may destroy relevant forensic data and impede ISO investigations.

 Do not: 

  • Scan the system with antivirus software
  • Attempt to clean off any malicious software
  • Attempt to clear the mail system
  • Attempt to retract an email message that contained confidential information
  • Run a backup

 

  1. Contact the Information Security Office
    As soon as an individual suspects that a computer has been compromised, they should contact the Information Security Office immediately by phone prior to taking any additional action.  The Information Security Office can be contacted at 412-268-2044 or by email at iso-ir@andrew.cmu.edu.  In the event that the Information Security Office is unavailable to take your call, emergency contact information will be provided in the pre-recorded answering system.

    The Information Security Office will conduct a preliminary investigation prior to determining the best course of action for the Compromised Computer.  While waiting for further instructions, do not share any details related to the compromise unless absolutely necessary.  Additionally, do not attempt to contact law enforcement officials.  Such communication must be coordinated with the Information Security Office and the Office of General Counsel due to the potential legal implications of a compromised computer.
  2. Notify users of the computer, if any, of a temporary service interruption

If the compromised computer provides some type of service, it is likely that users of this service will be impacted by the interruption brought on by disconnecting the computer from the network. These users should be notified in some manner of the interruption. Options for notification may include an email to the user base or posting a notice to a frequently visited web site. As stated previously, the details of a compromise and the ensuing investigation should be kept confidential. Therefore, the notification of service interruption should not indicate that there has been a compromise.

Revision History

Version

Published

Author

Description

1.0

04/11/2006

Stephanie Caviccchi
John Lerchey

Original publication

1.1

05/11/2006

Stephanie Caviccchi
John Lerchey

Minor edits for clarification.

1.2

09/04/2007

Doug Markiewicz

Relabeled document as a procedure instead of a guideline.

2.0

04/18/2008

Doug Markiewicz

Reformatted to fit new procedure template and largely rewritten to provide greater clarity.  Contact information has also been updated.  No significant changes to the actual process have been made.

2.1

05/18/2011

Doug Markiewicz

Updated Definitions, Additional Information and contact information in step 2 of the procedure.

2.2

02/17/2021

Joseph Magliocca

Updated text to include "University" after "Carnegie Mellon" as instructed by Carnegie Mellon University new marketing and branding guidelines. Moved "Additional Information" and "Resources" to the sidebar.

2.3

06/09/2021

Joseph Magliocca

Removed definitions and linked to ISO Glossary page. Added information on what "not" to do when dealing with computer compromise in order to preserve all pertinent data for forensics.

2.4

11/10/2023

John Lerchey

Updated instructions to reflect CrowdStrike deployment

 

Status: 

Published 

Published: 

04/11/2006

Last Updated: 

06/09/2021

Last Reviewed

06/09/2021