Removing compromised computers from the network
With the continued incidence of problems associated with computers that have vulnerabilities exploited by worms, viruses, and other malware, the following procedure was established for minimizing the impact of compromised and vulnerable machines by disabling their access to the K-State data network and the Internet:
- Unpatched, vulnerable systems and compromised systems will be identified with the aid of scanning tools, intrusion-detection devices, external reports, and other appropriate means of identifying anomalous network activity.
- Compromised systems will be blocked from accessing the K-State network as soon as they are identified. It will typically not be feasible to give prior notice to the individual using the affected system.
- The IP and MAC addresses of compromised systems will be posted on the blocked hosts webpage and Network and Telecommunications Services will send a network block message to the SIRT-CONTACTS LISTSERV mailing list. The block notification message will include the following information:
- Subject heading of "Network Block Notification - <building name>"
- Brief explanation of why a computer has been blocked
- As much information as possible to aid in identifying the blocked computer such as IP address, MAC address, hostname, etc..
- The security contacts for the compromised or vulnerable computer are responsible for ensuring that it has been reinstalled or otherwise appropriately secured before requesting the network block be removed. The contact's SIRT representative can provide advice on how to deal with the problem, but is not available to assist with on-site technical support.
- The Identity, Security, and Compliance office (ISC) can provide advice on how to deal with the problem. Individuals needing technical assistance may contact ISC staff or send email to firstname.lastname@example.org.
- Individuals needing technical assistance may contact the IT Help Desk in 214 Hale Library, 785-532-7722, email@example.com.
- Campus departments needing assistance with repairs may use the fee-based services of Client Services Computer Repair in 214 Hale Library, 785-532-7722.
- If the compromised computer contains sensitive data, such as student records, personnel files, personal identity data, or data covered by export controls, shut the computer down and immediately contact the ISC so forensic analysis can be performed to determine if there is any chance that a breach of the data occurred. This also applies if the compromised computer might be involved in a criminal investigation since the hard drive(s) may need to be preserved for evidence. In these cases, do not under any circumstances reformat or otherwise alter the contents of the hard drive(s) until cleared to do so by the OISC or your SIRT representative. These same people can also advise you on proper ways to preserve the integrity of evidence should the computer need to be returned to production quickly.
- If the machine is infected with malware known to open a back door or other type of trojan horse, and Step 5 above does not apply, the system must be reformatted before the block will be removed. Reformatting the hard drive and reinstalling the operating system and all applications is the only way to guarantee all malware has been removed.
- Once the system has been repaired or patched, the network administrator must contact their SIRT representative or designated alternate, who will then send a message to the SIRT-BLOCKS LISTSERV mailing list requesting removal of the network block. The unblock request message must include the following information:
- Have a subject heading of "Unblock request <building name>"
- Copy and paste the line from the blocked-hosts page for the computer to be unblocked, (include IP address, MAC address, NetBIOS name, reason blocked, and date blocked)
- Briefly explain why removing the block is now justified
Only a SIRT member or designated alternate can request removal of the block.
Residential Networking staff in Housing and Dining Services at the K-State Manhattan campus residence halls should contact the Coordinator of Residential Networking, who will process the removal of the network block.
- Networking will remove the network block and remove the IP and MAC address from the blocked hosts list, then notify the SIRT-BLOCKS mailing list.