Since 2005, UB has been classifying and tracking information
security incidents. UB's Information Security Office works to
minimize the damage from each compromise. By building increased
awareness among UB students, faculty and staff, the number of
compromised accounts continues to drop.
Some incident management milestones for UB have been:
- UB is a member of REN-ISAC
- Our ArcSight implementation manages event Information
Our REN-ISAC membership keeps the Information Security Office
informed about compromises that the University otherwise
wouldn’t be aware of; there are a variety of compromises that
are generally detectable only at remote ends. For example, botnet
compromises would go largely undetected without a relationship with
REN-ISAC. The information sharing and trust relationships that come
with UB’s membership have allowed us to better secure our
ArcSight is notable because it allowed UB to correlate incident
reports and events, and also automate much of their processing,
assignment and resolution. As a result, UB can respond more rapidly
to new compromises. In 2006, when UB began ArcSight usage, the
statistics show a large increase in incident detection. Incident
volume has dropped off since as awareness and preventative measures
Over the course of four and half months (January 1 through May
15, 2013), UB experienced 109 accounts compromised. In comparison,
there were 64 compromises during the Fall 2013 semester. Only six
accounts experienced multiple compromises. We believe multiple
compromises likely indicate that a piece of equipment the person is
using is compromised. The rest of the accounts were only
compromised once, which likely means that phishing was the
The majority of compromised accounts were student accounts
(53%), but a significant number were faculty (17%), staff (16%),
and alumni (12%), with the remainder being retired (2%).
New compromises have been reported on an almost daily basis,
with only a few spikes. Most of the compromised accounts were
accessed from only a few external locations. Most of the access was
through UBVPN. There isn’t data to determine whether
compromised accounts are being used to access other services (HUB,
desktops, HR services, etc.).
Measures taken by the Information Security Office to combat
phishing and account compromises:
- Began documenting and communicating phishing messages that
specifically target UB -- i.e. they claim to come from "UB Mail
Team,” "UB Account Security Team" or some
- Reporting phishing sites referenced in messages sent to UB
students, faculty or staff, whether those messages target UB or
not, to the responsible site owner and ISP.
- Created a phishing awareness flyer with the help of the IT
Policy & Communication team. The flyer is now distributed as
part of the New Employee Welcome packet.
- UB Human Resources and the Information Security Office revised
and updated talking points used in the new employee orientation
- Integrated geolocation information and VPN authentication logs
to more easily spot compromised accounts.
- Regularly revise advice given by the Help Desk to students,
faculty and staff that have been compromised more than once.
- Purchased 1,500 seats of “SANS: Securing the Human”
training package, added to the CIO new hire training. This is also
available to IT Node Directors.
- Require that VPN users authenticate before being able to send
current metrics on UB’s security incident management.