Incident Management

Some incident management milestones for UB have been:

• UB is a member of REN-ISAC
• Building out our Splunk infrastructure to assist with event information

Our REN-ISAC membership keeps the Information Security Office informed about compromises that the University otherwise wouldn’t be aware of; there are a variety of compromises that are generally detectable only at remote ends. For example, botnet compromises would go largely undetected without a relationship with REN-ISAC. The information sharing and trust relationships that come with UB’s membership have allowed us to better secure our infrastructure.

Over the course of one semester, UB experienced 109 accounts compromised. In comparison, there were 64 compromises during the subsequent semester. Only six accounts experienced multiple compromises. We believe multiple compromises likely indicate that a piece of equipment the person is using is compromised. The rest of the accounts were only compromised once, which likely means that phishing was the cause.

The majority of compromised accounts were student accounts (53%), but a significant number were faculty (17%), staff (16%), and alumni (12%), with the remainder being retired (2%).

New compromises have been reported on an almost daily basis, with only a few spikes. Most of the compromised accounts were accessed from only a few external locations. Most of the access was through UBVPN. There isn’t data to determine whether compromised accounts are being used to access other services (HUB, desktops, HR services, etc.).

Measures taken by the Information Security Office to combat phishing and account compromises: 

• Began documenting and communicating phishing messages that specifically target UB -- i.e. they claim to come from "UB Mail Team,” "UB Account Security Team" or some variation. 
• Reporting phishing sites referenced in messages sent to UB students, faculty or staff, whether those messages target UB or not, to the responsible site owner and ISP.  
• Created a phishing awareness flyer with the help of the IT Policy & Communication team. The flyer is now distributed as part of the New Employee Welcome packet. 
• In the process of implementing Duo (Two-Step Verification) University-wide authentication for most services.
  
• The Information Security Office worked with ITCE to create security related videos for new employee orientation.
• Starting to utilize additional features of UB's next generation firewall technology to block dangerous URLs and scan email attachments for infected files at the border.
  
• Regularly revise advice given by the UBIT Help Center to students, faculty and staff that have been compromised more than once.
• Purchased 1,500 seats of a third party security awareness training package, added to the CIO new hire training. This software is also available to IT Node Directors.
  
• Require that VPN users authenticate before being able to send email.