Reaching Others University at Buffalo - The State University of New York
Skip to Content

Compromised Machines & Forensic Processing

The Information Security Office (ISO) at UB has developed the Forensics for Compliance program to comply with federal and state regulations involving University data. Adhering to the process and following all documented steps will assure UB's compliance with all data security regulations.

The Forensics Program

The program involves the performing of computer forensics on hosts that potentially contain regulated private data (social security numbers, driver's license or other identification numbers, financial account numbers) and have become compromised through infection or other means.  In the event that it is determined that regulated private data has been copied without authorization, UB is required to report it.  

When a computer becomes compromised, if it’s known or believed that the computer may have be used to handle regulated private data, the Information Security Office (ISO) will obtain the machine (or its drive(s)) and extract an image of the contents of its hard drive(s). This process requires up to three days to complete, depending upon the size of the drive. The machine or drive is then returned to the department. The ISO will then analyze the copy of the contents and determine if regulated private data are present on it, the manner in which the machine was compromised, and the intent of the compromise. The ISO will then advise the CIO on whether or not we reasonably believe that regulated private data was improperly copied. The CIO, in cooperation with University Counsel, will make the decision on whether to report the breach to NYS. Communicating with the public and the press about the breach will be managed by the Office of the AVP for University Communications.

Since a breach of regulated private information is a serious matter, and carries significant penalties, UB has invested in training and tools to enable us to assess the likelihood of unauthorized access. In order for the CIO to have the best information available when making the decision to report, it's important that a rigorously defined process be followed in every instance. 

The steps in following diagram should be followed to determine whether or not the Information Security Office should be involved when a host is compromised. If there is any doubt, contact the Information Security Office.

Forensic Program Steps

Forensic Process Chart

Private Regulated Data Reporting Requirements

Regulated private data is defined in NYS General Business Law 899-aa as "private information" and contains social security numbers, driver's license number or non-driver identification card number, and account numbers that permit access to an individual's financial account. The law requires that we report when this information has been downloaded or copied without authorization, or when we reasonably believe that it has been. 

Reporting consists of notifying all affected individuals (in writing), the consumer credit reporting agencies (if the breach involves more than 5000 people), the Attorney General's office, the NYS Department of State's Division of Consumer Protection and the NYS Office of Cyber Security & Critical Infrastructure Coordination. Industry reports estimate that the cost of the associated public relations campaign, inquiries, and audits can average around $200 per individual affected. By law, failure to report can carry a $10 penalty per individual affected (up to $150,000), in addition to any damages awarded to those individuals by the court. 

Forensics Tools

Identity Finder

Identify Finder is a site-licensed tool available for the proactive identification of Regulated Private Data. By using this tool, you can discovery which of your machines contain regulated data and then take steps to remove it or properly securing it. 

Important:

Identity Finder is meant to be used prior to indications of infection to detect regulated private data.  Please do not use Identity Finder to look for regulated private data once a machine is deemed compromised or potentially compromised.

Identity Finder is the software licensed by the University at Buffalo for the purpose of detecting private regulated data on a host that IT support staff can used to provide information about a compromised computer. IT Support staff, read about installing and using the application.

Training for Handling Data Safely

There is a short 12 minute video available in UBlearns (Handling Data Safely Unit 2: Regulated Private Data) that is intended to raise awareness of the issues surrounding regulated private data. Anyone with a UBITName can self-enroll in the UBLearns course to review the material. Please use this material within your departments to help people understand how to properly handle regulated private data.

We continue to ask for your assistance in limiting the use of regulated private data and bringing awareness to faculty and staff on the risks of storing it on their computers and portable devices. The best way to protect regulated private data is to ensure employees that require it to perform their job are able to work with it in a secure environment. 

Find Answers

9/23/13

No. Computer forensics for compliance requires following a rigorous process based on many hours of forensic training and chain of custody in order to prove there has been no tampering with or alteration to the original data.

9/23/13

Download and install Identity Finder to determine if machine has private or regulated data.

9/23/13

At a minimum, it will require the time for the department to retrieve or move the potentially compromised host and to replace it with a spare machine.  The time involved in processing a machine varies in part on the size of the drive(s) and the nature of the compromise.

9/23/13

The service itself is free.  However, the user may require use of another machine while his/her machine is being processed.  Thus, the department may need to purchase a spare machine if they do not already have one on hand.

2/3/14

No. Wipe and re-image the machine to return the user to service.

9/23/13

The ISO staff will work with the HIPAA Compliance Office as needed.

9/23/13

Federal and state regulations require reporting the exposure of regulated private data by the University.

9/23/13

Federal and state regulations require reporting the exposure of regulated private data by the University. Read about the regulations.

Did This Page Answer Your Question?

(Required)
 
Email, UBITName or phone number
(Required)
Enter both words below, separated by a space. If either word appears unclear, click 'Get a new challenge' to receive two new words.