Compromised Account Quarantining Practices

Applicable To: 

Duke University

Version 2.0

Author

IT Security Office (ITSO)

Authority

Duke University Chief Information Officer
Duke University Chief Information Security Officer

Introduction

The University IT Security Office (ITSO) monitors Duke’s network and systems for security issues and takes timely action to resolve potential compromises. This document describes actions taken to resolve potential compromises of accounts. See Endpoint Device Security and Quarantining Practices for actions taken to remove devices from the network when they pose a security threat. 

Practices

Through monitoring of Duke's system mail, and authentication logs, the ITSO and OIT may identify accounts that have been compromised and are being used by attackers to log into systems. In these situations, the ITSO and OIT will take one of two actions.

1. Manual Locking

In cases where the ITSO or OIT have identified a compromised account based on a reported incident or analysis of system and authentication logs, the questionable account will be referred to the OIT Service Desk.

The Service Desk will:

(a)   Attempt to contact the affected individual.

(b)   Lock the account.

(c)   Assist the customer in resetting their password and updating CRV questions when they call the Service Desk.

If the account is a faculty or staff account, the ITSO will also contact the appropriate IT contact in the school or department to let them know about the incident.

In some cases, if the account is involved in an active security incident, or is part of a large security incident involving a larger number of accounts, the ITSO and Service Desk will immediately lock the account and then attempt to contact the affected party and IT contact for the affected party. The Service Desk will help the user reset their password and update CRV questions when they contact the Service Desk for assistance.

When contacted, the affected parties will be asked if they have access to systems with Sensitive data so that access to those systems can be checked for inappropriate access.

2. Automated Locking

In cases where a compromised account is being used to send spam or phishing messages from the Duke mail system, an automated task may detect the misuse and immediately quarantine the account. In these cases, the affected user will need to contact the Service Desk who can assist with resetting their password and updating CRV questions.

¹In this case a “threat” is posed to the broader community if the infected or vulnerable, unpatched system could create a foothold for an attacker to access other systems on the Duke network through the vulnerable system, or if the attacker could adversely impact the performance of Duke’s network more generally through Denial of Service attacks or other methods.

Document Type: Procedure