Incident Management

Some incident management milestones for UB have been:

• UB is a member of REN-ISAC
• Our ArcSight implementation manages event Information

Our REN-ISAC membership keeps the Information Security Office informed about compromises that the University otherwise wouldn’t be aware of; there are a variety of compromises that are generally detectable only at remote ends. For example, botnet compromises would go largely undetected without a relationship with REN-ISAC. The information sharing and trust relationships that come with UB’s membership have allowed us to better secure our infrastructure.

ArcSight is notable because it allowed UB to correlate incident reports and events, and also automate much of their processing, assignment and resolution. As a result, UB can respond more rapidly to new compromises. In 2006, when UB began ArcSight usage, the statistics show a large increase in incident detection. Incident volume has dropped off since as awareness and preventative measures have grown.

Over the course of one semester, UB experienced 109 accounts compromised. In comparison, there were 64 compromises during the subsequent semester. Only six accounts experienced multiple compromises. We believe multiple compromises likely indicate that a piece of equipment the person is using is compromised. The rest of the accounts were only compromised once, which likely means that phishing was the cause.

The majority of compromised accounts were student accounts (53%), but a significant number were faculty (17%), staff (16%), and alumni (12%), with the remainder being retired (2%).

New compromises have been reported on an almost daily basis, with only a few spikes. Most of the compromised accounts were accessed from only a few external locations. Most of the access was through UBVPN. There isn’t data to determine whether compromised accounts are being used to access other services (HUB, desktops, HR services, etc.).

Measures taken by the Information Security Office to combat phishing and account compromises: 

• Began documenting and communicating phishing messages that specifically target UB -- i.e. they claim to come from "UB Mail Team,” "UB Account Security Team" or some variation. 
• Reporting phishing sites referenced in messages sent to UB students, faculty or staff, whether those messages target UB or not, to the responsible site owner and ISP.  
• Created a phishing awareness flyer with the help of the IT Policy & Communication team. The flyer is now distributed as part of the New Employee Welcome packet. 
• UB Human Resources and the Information Security Office revised and updated talking points used in the new employee orientation presentation.
• Integrated geolocation information and VPN authentication logs to more easily spot compromised accounts.
• Regularly revise advice given by the UBIT Help Center to students, faculty and staff that have been compromised more than once.
• Purchased 1,500 seats of a third party security awareness training package, added to the CIO new hire training. This software is also available to IT Node Directors.
  
• Require that VPN users authenticate before being able to send email.