Summary: Overview and How to Remediate Vulnerabilities

Overview: The Desktop Engineering Team and Systems Team receive vulnerability, compromise, and abuse notifications from ISO, identifies the appropriate action, and escalates them into ServiceNow, according to the ISO Notification Escalation Procedure. Generally, this means: find the device, determine ownership, and hand off to the appropriate team for remediation.

Security and Abuse Notification and Remediation Policy

1. Faculty/Staff System/Printer Vulnerability or System Breach

1. The Desktop Engineering Team, James Lewis will receive a quarantine notification from the Information Security Office via direct email.
   
2. The Desktop Engineer On Call will search for previous tickets for the device by MAC or IP Address in Service Now. If located
3. The Desktop Engineering Team will create a ServiceNow incident assigned to the appropriate DOC for remediation, with the affected user set as the Requested For (if able to identify) and set as moderate impact (3) / high urgency (2) [priority 3].  This incident is expected to be created within one hour of notification from the ISO, during normal business hours.
4. A Desktop Support Specialist will take ownership of the ticket and reach out to the affected user to ensure the system is cleaned and patched, reimaged, or reconfigured to meet required minimum standards as required.
   1. How to remediate VNC
   2. How to remediate RDP
5. If the Desktop Support Specialist is unable to resolve the issue within the DOC, the Desktop Engineering Team may be consulted for assistance. 
6. Once the system has been remediated, the Desktop Support Specialist will reply to the ServiceNow incident with information detailing the steps taken for remediation which may include information on how the system was compromised, how the vulnerability was addressed, or other relevant information. The Desktop Support Specialist will clear the network quarantine in TSC Tools.

2. Student Employee (or Affiliated User) System Vulnerability or Breach

1. The Desktop Engineering Team, James Lewis will receive a quarantine notification from the Information Security Office via direct email.
2. The Desktop Engineering Team will create a ServiceNow incident assigned to the appropriate DOC for remediation, with the affected user set as the Requested For (if able to identify) and set as moderate impact (3) / high urgency (2) [priority 3].  This incident must be created within one hour of notification from the ISO, during normal business hours.
3. A Desktop Support Specialist will take ownership of the ticket and reach out again to the affected party to determine if the system is owned by the University.
   1. If the system is owned by the University, go to Step #3 of the “Faculty and Staff System Vulnerability or Compromise” section and continue with that checklist.
   2. If the system is not owned by the University but is used for University business:
      
      1. The affected user will be required to identify if any Confidential data is present on the system.
      2. The affected user must remediate the issue identified by the Information Security Office before the quarantine can be cleared.  If the system contains Confidential data, a summary of the data must be provided in the ticket.
      3. The affected user should be directed to the ITS Help Desk or Campus Computer Store for assistance with remediation if needed, as LAITS cannot assist with personal devices.
   3. If the system is not owned by the University and is not used for University business:
      1. The affected user must remediate the issue identified by the Information Security Office before the quarantine can be cleared.
      2. The affected user should be directed to use the utexas WiFi network for non-University business.
      3. The affected user should be directed to the ITS Help Desk or Campus Computer Store for assistance with remediation if needed, as LAITS cannot assist with personal devices.
4. Once the system has been remediated, the Desktop Support Specialist will reply to the incident with information detailing the steps taken for remediation which may include information on how the system was compromised, how the vulnerability was addressed, the system owner's relationship with the University and any other relevant information.
5. Once the system has been remediated, the Desktop Support Specialist will reply to the ServiceNow incident with information detailing the steps taken for remediation which may include information on how the system was compromised, how the vulnerability was addressed, or other relevant information. The Desktop Support Specialist will also clear the network quarantine (if any) in TSC Tools.

3. Server Vulnerability

1. The Desktop Engineering Team, James Lewis will receive a quarantine notification from the Information Security Office via direct email.
2. The Desktop Engineer On Call will create a ServiceNow incident assigned to the appropriate Systems Administration team for remediation and set as moderate impact (3) / high urgency (2) [priority 3].  This incident must be created within one hour of notification from the ISO, during normal business hours.
3. The Primary System Administrator is responsible for coordinating the remediation of the vulnerability with the Service/Application Owner.
   1. If the ISO has scheduled a quarantine for a future date, the Primary System Administrator is responsible for ensuring that the issue is remediated before the quarantine becomes active. 
      
      1. If a temporary extension is required in order to implement the changes or an exception is required due to an inability to fully remediate the system, contact the Desktop Engineer On Call for assistance with requesting an extension from the ISO.
4. After the vulnerability has been remediated or an exception has been granted by the ISO, the Primary System Administrator will reply to the ServiceNow incident with a summary of the steps taken for remediation.
5. After the Desktop Engineer On Call receives this reply, the incident will be reviewed, verified to be resolved, and the network quarantine (if any) cleared in TSC Tools.
6. If an exception was granted by the ISO, the exception email will be converted to a PDF and uploaded to the ATS-Desktop Engineering > ISO Security Exceptions Box folder - DO WE STILL WANT TO DO THIS?

4. Server Breach

1. The Desktop Engineering Team, James Lewis will receive a quarantine notification from the Information Security Office via direct email or a compromised system will be discovered by a Systems Administrator.
   1. If there are a large number of notifications for multiple systems, the Systems Administration team will immediately escalate the issue to their team Manager.  The Systems Administration Team will begin to triage the situation as necessary.
2. The Desktop Engineer On Call will create a ServiceNow incident assigned to the appropriate team for remediation and set as significant impact (2) / critical urgency (1) [priority 2]. This incident must be created within 30 minutes of notification from the ISO or detection by a Systems Administrator, during normal business hours.
   
   1. If the Primary or Secondary System Administrator is not available, the ticket must be assigned to the team manager.
3. The incident owners will stop any ongoing work and immediately assess the server and consult with the Desktop Engineer On Call and Team Manager to determine the best course of action for remediation.
   
   1. If more information is required to assess the compromise, the Information Security Office can be asked to provide detailed evidence of the compromise.
4. If a network quarantine is scheduled or a decision is made to take services offline, the incident owners or designee will send a generic Outage notice to the Desktop Support Staff list as well as any affected users.  DO NOT mention a security issue in the outage notice.  The Customer Service Manager, must be consulted before notifying customers of a server security issue.
5. The incident owners or Systems Administration Team are responsible for identifying the source of the compromise, the extent of damage done to the server, whether root- or Administrator-level access was obtained, whether Confidential data was compromised, whether other systems are affected, the steps for remediation, and action items to prevent further compromises.
   
   1. Since timestamps are critical for an investigation, no changes should be made to files, directories, or running processes until timestamps and process information are preserved, and a remediation plan is in place.  Critical issues that require immediate action (i.e., Cryptolocker actively encrypting a file share) may necessitate intervention before the information is preserved.  Use your best judgment. The incident owners or Systems Administration Team will determine if the compromise can be cleaned-in-place or if a restore from backups is required.  If root- or Administrator-level access was obtained, the server OS must be wiped and reinstalled.  No exceptions unless authorized by the team manager.  Exceptions are listed at https://utexas.app.box.com/files/0/f/3874356475/ISO_Security_Exceptions   - STILL VALID?
6. Once a remediation plan has been approved by the Team Manager and Desktop Engineer On Call, the incident owners or Systems Administration Team will perform the planned actions on the server.
7. After the compromise has been remediated, the Desktop Engineer On Call is responsible for verifying the compromise has been fully removed.
8. Once the Desktop Engineer On Call has approved the server to return to service, approval will be noted in the ServiceNow ticket and the Network Quarantine will be cleared by the Desktop Engineer On Call.
9. The incident owners will ensure services have been started on the server.
10. The incident owners or designee will send an Outage – Restored notice to the LAITS Deskopt Support Staff list and any affected users.  DO NOT mention a security issue in this notice.
11. The incident owners will update the ServiceNow incident with a summary of the actions taken.
12. After the incident has been resolved, the System Owner will create a write-up (root-cause analysis) of the incident and send it to the Team Manager and Customer Service Manager for review and possible foward to the customer.

6. DMCA Notice

1. The Desktop Engineering Team, James Lewis will receive a DMCA notification from the Information Security Office via direct email.
2. The Desktop Engineer On Call will investigate and determine the responsible party
   
   1. If the DMCA Notice identifies content located on a server, the Desktop Engineer On Call will coordinate with the Systems Administration Team to disable access to the reported content
   2. If the DMCA Notice identifies content on a user's computer, the Desktop Engineer On Call will identify the affected user, create a ServiceNow incident assigned to the appropriate DOC for remediation, with the affected user set as the Requested For (if able to identify) and set as moderate impact (3) / high urgency (2) [priority 3]. This incident must be created within one hour of notification from the ISO, during normal business hours.
3. A Desktop Support Specialist will take ownership of the ticket and reach out again to the affected user to ensure the content is either removed from the system or more information is provided to deliver back to ISO. Additional information should be documented in the ServiceNow incident.
4. If more information is provided, the Desktop Engineer On Call will forward that to the ISO.
5. The Desktop Engineer On Call will provide the responsible user’s EID to the Information Security Office.

7. Compromised EID

1. The Desktop Engineering Team, James Lewis will receive a Compromised EID Password notification from the Information Security Office via direct email.  
   1. As there are many ways an EID password can be compromised, there is no action required by LAITS.  The affected user will have received the same notification and must contact the ITS Help Desk for assistance as LAITS does not have access to reset EID passwords.
2. If a customer contacts LAITS regarding their compromised EID, the Desktop Support Specialist may offer to perform a scan of the affected user’s UT-owned systems.  If any of the user’s systems have been compromised, the Desktop Support Specialist will create a ServiceNow incident addressed to the user and assigned to the Desktop Support Specialist, following the "Faculty and Staff System Vulnerability or Compromise" checklist.

8. SSN Remediation

1. The Desktop Engineering Team, James Lewis receive bulk SSN remediation notifications from the Information Security Office via direct email.  These notifications refer to files located on Austin Disk shares.  There is no requirement that these files be removed from Austin Disk.  The Data Owner is ultimately responsible for the files stored on Austin Disk.
2. When bulk notifications arrive, the Desktop Engineer On Call will collate the notifications and create a spreadsheet based on UT Department Codes. The spreadsheet must contain the ISO ticket ID, file path, share name, last modified date, number of SSNs, and the list of users/groups with access to the file.
3. The spreadsheet will be sent to the SSN Remediation Contact as displayed in OHS per department.  The report should recommend that the CSU review the files, ensure that permissions are correctly set, mark valid files for whitelisting, and remove any unnecessary or old files from Austin Disk.  No action by the CSU is required.                                                                                          

9. All other security incidents or inquiries

Contact the Desktop Engineering Team for assistance.