Incident Handling and Response and Contributed by Organizations or Campuses

The 2008 Data Breach Investigations Report draws from over 500 forensic engagements handled by the Verizon Business Investigative Response team over a four-year period. Tens of thousands of data points weave together the stories and statistics from compromise victims around the world. This report seeks to answer the following questions;

• Who is behind data breaches?
• How do breaches occur?
• What commonalities exist?
• Where should mitigation efforts be focused?

Review of news sources and databases shows an increase in the number of both security incidents and affected institutions in the last year.

The annual Campus Computing Survey focuses on IT security and crisis management, finding gaps in preparation but fewer attacks on networks.

"No matter how robust your firewall, trained faculty and staff are your first line of defense against system breaches."

This study summarizies the actual costs incurred by 31 organizations that lost confidential customer information and had a regulatory requirement to publicly notify affected individuals.

This risk assessment policy from Pima Community College covers IT risk methodology and incident severity ratings.

Overview of the University Network The University of Chicago's network has approximately 15,000 network devices on it, spanning across about a thousand switches. The network infrastructure is a 100 MB per second switched infrastructure with a gigabit backbone. For off campus connectivity, we currently have 155 MB/sec Internet2 connectivity, and two 40 MB/sec commodity links. We have a handful of T1 and T3 connections which connect into our campus backbone for affiliated organizations or sites away from the main campus network. Evolution of Network Forensics at the University We have been running various network forensic tools since around 1995. We started with TAMU NetLogger logging traffic on the subnet on which we had our main e-mail, Web, and other important servers. NetLogger relied on a non-switched network for logging. As the University's network swapped over to a switched network we stopped using NetLogger. Around 1998, as the university started the Network Security Center, we started searching for a way to have similar network audit logs, except to monitor traffic across the university's gateway instead of or in addition to monitoring the main servers.

Indiana University is comprised of eight campuses with approximately 60,000 system-wide networked devices. When the Melissa virus was released, our response was ad hoc and unplanned, and we had a high number of infections. We did a little better with ILOVEYOU, and better still with Code Red, and even Slammer. But, generally, while campus operations were not heavily impacted by these latter events, our responses were still fairly uncoordinated, and our actions were overly cautious. As a result of our experiences with those previous events, we decided we would take a much more aggressive, though still measured, approach to these threats.

Over the past several years we have seen a rise in computer intrusions, malicious code, and other security incidents on our network. With approximately 25,000 computers attached to our network, it was no longer feasible for one individual to handle all of the incidents that were occurring. In 1999, we began a focused effort to improve our ability to detect problems, determine their causes, minimize the damage they cause, preserve related evidence, resolve the problems, and take appropriate disciplinary or legal action. Part of this initiative involved the formation of an incident response team made up of three Department of Information Technology (DoIT) Security staff members and 10 volunteers from various departments at University of Wisconsin-Madison. The Badger Incident Response Team (BadgIRT), which operates as an integral part of the DoIT Security department, was formed as a central collection point for tracking incidents, analyzing information security trends, and working with other incident response teams worldwide.