Overview
When a security incident takes place, there are specific steps to take when working with the Computer Incident Response Team (CIRT).
Critical Concepts
The CIRT process is used for reporting significant security events, such as the following:
- Malware or intrusions involving systems that process or store sensitive information
- Intrusions that involve more than one system (lateral movement)
- Incidents that represent a significant risk to a department or the campus
- Advanced malware such as ransomware, remote access trojans (RAT), info stealers, etc.
If you are a system administrator, working with the CIRT will
- Manage security incidents at UC San Diego
- Combat rising security and accountability risks
- Reduce associated costs
Departments with internal incident response teams are still required to contact the CIRT in case of incident. The CIRT will work closely with your security team to investigate the incident.
If you are not a system administrator and suspect a violation of your computer's security has occurred, contact your department's technical support person immediately. After hours, call the ITS Service Desk, (858) 246-4357 or extension 6-HELP.
Steps to Take
1. Don't touch the machine or system
- Do not turn off the machine.
- Do not remove the machine from the network.
- Do not look at the system to see what files are on it, or what might have been touched.
2. Find out what constitutes a CIRT incident
A CIRT security incident occurs when an unauthorized entity gains access to UC San Diego computing or network services, equipment, or data. Typical situations include:
- You suspect that a computer or other network device may have been compromised to allow the viewing, transferring, or alteration of student data, personal information, medical data managed under the Health Insurance Portability and Accountability Act (HIPAA), or other legally regulated data.
- You suspect a security problem with a desktop workstation and the person and/or the workstation:
- Works with personnel or financial data
- Connects to UC San Diego business databases
- Works with personal information used for medical services or human subjects
- Submits student grades
- Incidents involving advanced malware such as ransomware, remote access trojans, or info stealers
- You detect or get a report of a physical or criminal act, such as theft of a laptop, desktop computer, or mobile device.
- A law enforcement representative contacts the university regarding a security incident.
3. Request assistance from IT Services Security
Report any incident you consider a possible threat. Contact the IT Service Desk, (858) 246-4357 or extension 6-HELP. The Help Desk will contact the on-call CIRT representativeto respond. The earlier you contact the CIRT, the more likely it is that the CIRT will be able to help.
4. Cooperate with the CIRT
The CIRT will work with you to:
- Preserve and use forensic evidence to discover the extent of the intrusion
- Determine and minimize risk and the possibility of future risk to the university
- Provide and maintain smooth and consistent interaction with law enforcement and university management
The CIRT cannot assist with cleanup and data recovery, except as they pertain to the situations above.