Yale University ITS Information Security Office - Zoo - Yale University

Yale Information SecurityITS AcademicComputing System(ACS) PantheonITS ACS Aleks Margan notices break-in.Aleks pages the Univ. ISO via beeper.• We investigate.• We assess damage.• We determine onlyone machine affected.We shut down Minerva and swap in a freshlyinstalled “hot spare” machine as Minerva.• We meet with ITS TP& ACS directors.• We decide to shut theBanner student Web.We shut down the “Banner” studentinformation system Web interface.• Users logging in onthe Pantheon & YaleWeb server areprompted to changetheir password.Incident HandlingAnatomy of an incident“Minerva” October 14 1997 “Break-In”• We plan shutdown andswap with fresh “hotspare” system.• We contact ITS Dir.• We decide to force apassword change.• We prepare a statement.• We force students whologin to change theirpasswords in two weeks.• Other users (E-Mail) aregiven a grace period.ISO dissects attack during the night of 10/14-15.Prepares CERT & YaleCERT reports.• Minerva infosec audit.• Evidence of intrudersessions (w/accounts &programs and source ofattacks) found in logs.Pantheon Security Review and Prevention Steps• Solaris OS patchprocedure audited &reviewed.Follow Through Actions• Yale Police notified.They contact FBI.• Other Internet sites &Yale admins notified.• Offending network’s IPaddress blocked.Aftermath• Log files secured.• Press releases to andinterviews with YaleDaily News and YaleHerald.•Tripwire softwarespecified and installedon Pantheon systems.• Banner studentsystem re-enabled.• Pantheon Kerberizedlogin and E-Mail accessto be promoted in 1998(encrypted auth & data).