Skip to main content
Computing at CornellCIT Contact Center (HelpDesk)

Procedures for Reporting Security Incidents

Reporting security incidents is mandated by Policy 5.4.2, Reporting Electronic Security Incidents.

Incidents can be reported to the IT Security Office (ITSO) by sending e-mail to security@cornell.edu. This message will be triaged by personnel in the Network Operations Center (NOC), who will either forward it to the security group or, if merited, contact the on-call security engineer. If you urgently require assistance, please phone the NOC at 607-255-9900.

(Please note that the web form for reporting electronic security incidents is no longer available.)

If you have been notified that one of your hosts has been compromised or you have any other reason to believe that you have a compromised system, you are expected to do the following:

Contain the compromised system(s)

  • The ITSO may restrict the system(s) network access as described here.
  • Ideally, the affected system(s) should be removed from the network, most easily done by pulling the network cable of the system.
  • If due to critical university business needs you cannot remove the system completely from the network, it should be isolated as much as possible. You should work with CIT Network Operations or the IT Security Office to restrict access to the system to the local subnet or in such a way that university business can be performed while still protecting other areas of campus and the data held on the system.

Contact your Security Liaison

  • The major campus units each have someone who has been appointed their Security Liaison. This person is charged, among other things, with ensuring appropriate measures are taken in response to a security incident.
  • If you don't have a Security Liaison, you should contact whomever leads IT support in your area to ensure that local guidelines are followed.

Communicate with the IT Security Office

  • If you have not done so already, you should report the incident to the IT Security Office. Your report should include the following information:
    • The nature of the incident to the best of your knowledge. If a system or application was compromised, how was that done? When did the incident occur, and when was it discovered? How was the incident discovered?
    • What is the scope of the incident? How many systems are affected? How many users have been affected?
    • Was there any sensitive data resident on the affected systems? Sensitive data includes student, personnel, financial and health care records, or personal information like Social Security Numbers, credit card numbers, driver's license numbers. If there is any possibility of the compromised system holding sensitive data, please take no action other than isolating the system until you have conferred with ITSO.

Coordinate additional response with the ITSO

  • Depending on the nature of the incident, it may be necessary for the IT Security Office to perform analysis on the affected systems. Local support providers may be asked to participate in this analysis. This could include assistance with the creation of disk images of the affected resources, confirmation of system configuration and activity, and validation of any remediation tasks.

Recovering from a system compromise

  • If the compromised system may hold sensitive data, do not attempt any system remediation, including a virus scan or Spider scan, without explicit clearance from ITSO.
  • All passwords on that affected systems should be changed. Note, for user systems, this includes their NetID password. Many malware packages have the capability to either steal or crack passwords used on the system they are attacking. The assumption should always be made that any passwords used on a compromised system were themselves compromised.
  • The decision to wipe and rebuild a compromised system or attempt to fix it is a complicated one. For system compromises that involve a known, removable agent, such as a specific virus, remediation using automated tools and/or published instructions may be sufficient. For compromises that involve multiple or unknown agents, the only way to ensure the system is properly cleaned is to wipe the hard drive of the system and reinstall its operating system, software, and user data (from backups).
  • In either case, you should attempt to verify that the system has been cleaned by requesting a check from the IT Security Office.