Since 2005, UB has been classifying and tracking information security incidents. UB's Information Security Office works to minimize the damage from each compromise. By building increased awareness among UB students, faculty and staff, the number of compromised accounts continues to drop.
Some incident management milestones for UB have been:
Our REN-ISAC membership keeps the Information Security Office informed about compromises that the University otherwise wouldn’t be aware of; there are a variety of compromises that are generally detectable only at remote ends. For example, botnet compromises would go largely undetected without a relationship with REN-ISAC. The information sharing and trust relationships that come with UB’s membership have allowed us to better secure our infrastructure.
ArcSight is notable because it allowed UB to correlate incident reports and events, and also automate much of their processing, assignment and resolution. As a result, UB can respond more rapidly to new compromises. In 2006, when UB began ArcSight usage, the statistics show a large increase in incident detection. Incident volume has dropped off since as awareness and preventative measures have grown.
Over the course of one semester, UB experienced 109 accounts compromised. In comparison, there were 64 compromises during the subsequent semester. Only six accounts experienced multiple compromises. We believe multiple compromises likely indicate that a piece of equipment the person is using is compromised. The rest of the accounts were only compromised once, which likely means that phishing was the cause.
The majority of compromised accounts were student accounts (53%), but a significant number were faculty (17%), staff (16%), and alumni (12%), with the remainder being retired (2%).
New compromises have been reported on an almost daily basis, with only a few spikes. Most of the compromised accounts were accessed from only a few external locations. Most of the access was through UBVPN. There isn’t data to determine whether compromised accounts are being used to access other services (HUB, desktops, HR services, etc.).
Measures taken by the Information Security Office to combat phishing and account compromises: