Overview
This guide is for the user or owner of a OU computer which has been involved in a cyber incident (for example, a malware infection or unauthorized access).
First Response Checklist
As you work through the following steps, record your observations and actions, and what time they occurred.
- Disconnect the device from the network if it is not a critical service.
- If it has a wired connection, unplug the network cable.
- For wireless devices, turn off the wireless adaptor if that's possible, or disconnect from the wireless network.
- Preserve state. If at all possible, don't touch anything else.
- Do not log off or power down the device.
- Do not use the computer; use a different computer until you hear from IT Security.
- Do not log into a compromised device for any reason.
- Do not try to conduct your own investigation.
- Preserve evidence.
- If you have logs in a central location, save them immediately.
- Do not log into a compromised device to retrieve logs.
- Report security incident at https://ou.edu/ouit/cybersecurityincident. In the description of the incident, include the following details:
- How was the incident discovered and when?
- What programs were open?
- What where you doing immediately before the incident?
- Which network was the user connected to when the incident transpired?
- Did you notice anything else that may be important or unusual?
- Provide a detailed list of who did what and when:
- Did you fail over a server?
- Did you reset a password or disable an account?
- Did you power off or log into or out of a computer?
- What time did any of those actions occur?
- What time were logs saved, and from where?
- Was a device used to access confidential data involved in this incident?
- Are there indications that confidential data was accessed?