Damage Control

If you believe you or your system has fallen victim to an attack that results in unauthorized disclosure of private or confidential information, you will need to take steps to limit the damage, remove the attacker's software, and prevent future attacks. In those cases where personally identifiable information is involved, the NYS Information Security Breach and Notification Law applies. Personally Identifiable Information: Notification Requirements If your compromised computer contained files with names and any combination of the following: social security numbers driver's license or non-driver identification card financial account information (credit card numbers, bank accounts) with access codes or PINs Contain the attack (disconnect the network wire) and immediately notify the Information Security Officer (437-3813).  New York State requires that unauthorized disclosure of electronic records containing this information must be reported to: the individuals whose information was disclosed the NYS Attorney General's Office the NYS Consumer Protection Board the NYS Office of Cyber Security and Critical Infrastructure Coordination Contacing the ISO will initiate the notification process and result in a forensic examination of your computer. Do not modify or alter your system in any way other than to disconnect it from the network. Does My Computer Contain Personally Identifiable Information? Personally identifiable information in the form spreadsheets, electronic forms, documents, or pdf files could be stored on your computer's hard drive. Cornell University, Virginia Tech, and George Washington University have developed software tools that can be run against a computer's hard drive to determine if any files are present, whether active or deleted, that contain personal information such as Social Security Numbers and credit card account numbers. To download these tools and for more information on how to use them, follow the links: Cornell's Spider (Windows and Linux versions) Virginia Tech's Tool for Windows and Other Platforms George Washington University's Safety Analyzer Responding to an Attack Containment: If you suspect your computer has been compromised, the first step is to limit the damage. Since the attack is most likely network based, simply disconnecting your wire from the network jack will halt the attack. Personally Identifiable Information (PII): If your system has files with PII (e.g., spread sheets with student or employee names and ssns), stop. Do not modify or alter the computer in any way. Contact the ISO and wait for instructions. Eradication: You must remove all the software that was installed by the attacker on your system to make sure it's clean. Sometimes this can be done surgically. Otherwise, the only way to assure that all the malware has been removed is to reformat the hard drive and reinstall the operating system and all the applications. This is where you're very glad you've been doing regular back-ups of your data files.  Recovery: Prepare to place the machine back into production by making sure it is secure and will not fall prey to a repeat attack. Patches should be installed, passwords changed, and behavior should be reviewed to reduce or eliminate at-risk activities. The system should be checked and validated by the unit head before putting it back on-line.  Review: The employee, supervisor, unit head and technical support person should meet to briefly review all the circumstances of the incident and to make sure the proper steps have been taken to prevent a reoccurrence. Contact your Technology Coordinator for Assistance.