Bradley University Skip repetative navigation
Attending Bradley Apply Online Student Life Our Community Visit Us A to Z Index Search Home
 
 
 
 
 
 
 

Computing Services
Policies

Bradley University
Intrusion Detection Incident Response Policy


When the Intrusion Detection Systems recognizes an intrusion incident, it is important to take action to safeguard Bradley University resources and the resources of our community.

The objectives of this policy are to:

  • Determine how the incident happened.
  • Establish a process for avoiding further exploitations of the same vulnerability.
  • Avoid escalation and further incidents.
  • Assess the impact and damage of the incident.
  • Recover from the incident.
  • Update procedures as needed.
  • Determine who was responsible (if appropriate and possible). Of course, depending on the seriousness of the attack, all of the objectives above may not necessarily have to be instigated. A tiered response and escalation procedure for detected potential security breaches is implemented as part of Bradley University's emergency response.

Level 1 One instance of potentially unfriendly activity (finger, unauthorized telnet, port scan, etc.).

  • Record user/IP address/domain of intruder.
  • Maintain vigilance for future break-in attempts from this user.

Level 2 One instance of clear attempt to obtain unauthorized information or access (download password files, access restricted areas, etc.) or a second Level 1 attack.

  • Collect and protect information associated with the intrusion.
  • Research origin of connection.
  • Contact ISP and ask for more information regarding attempt and intruder.
  • Research potential risks related to intrusion method attempted.
  • Upon identification of intruder, inform intruder of our knowledge of his actions and warn against future recriminations if attempt is repeated.

Level 3 Serious attempt to breach security (multi-pronged attack, denial of service attempt, etc.) or a second Level 2 attack.

  • Contain the intrusion and decide what action to take.
  • Collect and protect information associated with the intrusion.
  • Notify your client being attacked of the situation and maintain notification of progress at each following step.
  • Eliminate the intruder's means of access and any related vulnerabilities.
  • Research origin of connection.
  • Contact ISP and ask for more information regarding attempt and intruder, reminding them of their responsibility to assist us in this regard.
  • Research potential risks related to or damage caused by intrusion method used.

All potential, suspected, or known information security incidents should be reported to the Director of Computing Services. The Director of Computing Services will assign personnel who will assemble all needed resources to handle the reported incident. The Director of Computing Services will make decisions as to the interpretation of policy, standards and procedures when applied to the incident. In the case of a level 2 or higher threat, The Director of Computing Services will notify campus administration - The Provost and Associate Provost of IRT.

With the approval of University Administration, The Bradley University Police Department will be notified. Should further police agency involvement be required (such as the FBI) the Director of Computing Services will coordinate with Bradley University Policy to bring in these agencies. Bradley University faculty, students and staff are subject to the Ethical Use Policy and sanctions in that policy may apply in addition to or instead of legal sanctions.

Documentation

All information security incidents must be documented. This documentation provides a reference to be used in case of other similar incidents. System and network log files, network message traffic, user files, results produced by intrusion detection tools, analysis results, system administrator console logs and notes, and backup tapes that capture the before-intrusion and after-intrusion states of the affected system must be carefully collected, labeled, cataloged, and securely stored at each stage of intrusion analysis.

Evidence and activity logs should be protected before, during and following the incident.

Response Actions

The incident handling process will provide some escalation mechanisms. In order to define such a mechanism:

  • Priority One - protect human life and people's safety; human life always has precedence over all other considerations.
  • Priority Two - Protect restricted and/or internal data. Prevent exploitation of restricted systems, networks or sites. Inform affected restricted sensitive systems, networks or sites about already occurred penetrations while abiding by any applicable government regulations.
  • Priority Three - Protect other data including managerial, because loss of data is costly in terms of resources. Prevent exploitations of other systems, networks or sites and inform already affected systems, networks or sites about successful penetrations.
  • Priority Four - Prevent damage to systems (e.g., loss or alteration of system files, damage to disk drives, etc.). Damage to systems can result in costly down time and recovery.
  • Priority five - Minimize disruption of computing resources (including processes). It is better in many cases to shut a system down or disconnect from a network than to risk damage to data or systems. Each data and system owner must evaluate the trade-off between shutting down and disconnecting, and staying up.


Go back to the top of the page
 Go back
© 2006 Bradley University • 1501 W. Bradley Avenue • Peoria, Illinois 61625 • 309/676-7611 • AccessibilityDisclaimer