ITS

Information Technology Services
Information Technology Services

Security Incidents

Do you suspect that there has been unauthorised access to your computer? Please visit the pages below to determine what to do about it.

Definition

A hacking attempt or possible compromise that affects a large group of University Users and Systems and has the potential for significant impact and embarrassment to the University including privacy breach due to a hack and illegal activity.

Response

An organized handling of an incident can mean the difference between complete recovery and total disaster. The logical approach to handling different forms of attack, such as system compromise, will include the following sequence of steps:

  1. Preparation

    These practices include measures that will make sure that you are well prepared should an incident happen. These include practices like making sure you know who can handle an Incident (skilled person), also that backup copies are done on a regular basis, real time monitoring for security events and updating software with security fixes against vulnerabilities and updating antivirus, and communication plans and pack of tools to use.

  2. Identification of Attack

    It is important to identify the characteristics of an attack before it can be properly contained. The person will gather data, analyze it, and then determines whether an incident has occurred. The incident handler must calmly assess the situation, be ready to communicate, and be ready to document all evidence such that it can later be used in a court of law if necessary.

  3. Containment of Attack

    Once an attack has been identified, steps must be taken to minimize and prevent any further damage from the effects of the attack. Containment allows the administrator to protect and prevent the spread to other systems and networks from the attack. The initial activities are recommended include disconnecting the network cables, modifying firewall rules or changing DNS data or blocking access to the system via ACLs on packet filtering layer 3 devices on campus, etc. Once the attack has been contained, the final phases are eradication, recovery, analysis and public notification requirements will be addressed.

  4. Eradication

    This phase requires the removal of any malicious code and data left by the intruder after copy of the system is made of the compromised system for forensic analysis. This step includes closing any vulnerabilities holes that were used by the hacker to intrude in the first place. Once the cause of the compromise has been determined and well understood, the system can be rebuilt from a known good backup copy of the system. If no backup are found, then the system must be reinstalled from scratch including the operating system.

  5. Recovery

    Return to normal operations. The system has either been rebuilt from scratch or rebuilt from a backup, and it is ready to be validated for production. This includes verifying the system is secure and will not be compromised again.

  6. Lessons Learned

    The final stage of incident handling is to learn from the mistakes discovered and not repeat them in the new structure. It can also lead to adding more security protection to prevent the event from happening again. This phase involves preparation of final report as well.

Reporting a High Risk Security Incidents

To report a high-risk security incident on campus, please send an email to iso@queensu.ca.

Reporting Other Security Incidents

If you believe you have been the victim of a security incident you should report immediately to prevent the loss of personal or institution information.

Phishing message

If you have received a phishing message:

  • Do not respond
  • Forward the message to abuse@queensu.ca for action
  • Delete the message

If you clicked on the link or opened the attachment in a phishing email follow the "if your received a phishing email" instructions before proceeding with the following: 

  • Scan your system for viruses
  • Change your NetID password by going to queensu.ca/its
  • Update your security questions when changing your password

.

Spam messages

The university has put in place email filtering with Microsoft Exchange Online Protection (EOP). If you notice Spam in your inbox delete it. You can also move it to your Junk folder as filters will automatically be built to help identify and filter spam messages.

If Spamming messages persist, contact the IT Support Centre by calling 613-533-6666 or filling in the Online Help Form.

Computer or Mobile Device Theft

Report any suspected theft of computing equipment to Queen’s University Campus Security at 613-533-6733.

Note:  If your device contained university data and your device was not encrypted, this is a security incident and must be treated as such.

Unauthorized Access and Copyright Violations

Please report unauthorized network access attempts, and copyright violations originating from IP addresses starting with 130.15, to abuse@queensu.ca.

Email Harassment

University offers a program called STOPIT! to deal with email harassment at Queen's. STOPIT! is a joint initiative of the Human Rights Office, Campus Security, Information Technology Services, and the Dean of Student Affairs.

Please visit following link for reporting and information

 

Any Other Security Incidents

Examples : Virus attacks and malicious code targeting end-user computers and computing devices; if you reply to phishing emails; and loss of data stored locally on computers. Please contact the IT Support Centre by calling 613-533-6666 during regular business hours, or by filling out the online help form.

Questions?

Please contact the Information Security Office.

 

Last Updated: April 6, 2018