. .

Recent News

The Compensating Controls & Exceptions Form is up

Here are the Compensating Controls & Exception process submision forms for the UCSS.

Security Boot Camp outline up for comment

The CIO Security Group is developing an "Information Security Boot Camp" program that will be taught later this year. Comment on the proposed outline is encouraged during development. Check out the basic outline here

Check the Blackhole List

To see the current Blackhole listing click here

Report an Incident

To report a security breach or other security incident send an email to Security@osu.edu

Blocking/Unblocking Questions

Why do you block access to computers when they've been compromised?

Because we have found that, in general, it is the best way to ensure that they won't cause further problems to the rest of the OSU community and it is the best way to prevent further damage from being done to compromised computers.

Computers that have been compromised constitute a threat to the rest of the computers at OSU, both directly and indirectly. We have had many cases where small numbers of compromised computers have been involved in activities that have resulted in significant performance degradation for others at the University or in total network outages. We have also had cases where reprisals against compromised computers have resulted in outside parties denying access from large parts of OSU to their resources. In one memorable incident, one third of the University lost access to most of the Air Force for about a month due to scanning activity from a single OSU workstation (this was before we started blocking access to compromised computers :-)

Although intruders often refrain from doing heavy damage to the computers that they compromise, they sometimes do delete or modify data on the computer, and they almost always replace, modify or install software and change the configuration of the system to hide their tracks. It is better to block access to the computer before they have a chance to do significant damage (delete files, copy or modify sensitive information, etc.)

How do I request that the block be removed?

You need to resolve the problem that caused us to block the computer. This may mean running a virus scan (after updating your anti-virus definitions) and cleaning up anything that the scan reveals, but in many cases the only way to effectively clean up is to make a backup, reformat the drive, and reinstall everything. This is generally only necessary if you either can't disinfect whatever the computer is infected with or if you can't identify it.

Once the computer is "clean", send email to security@osu.edu with the IP address of the computer that you'd like to have unblocked, the incident number, and a description of what you found on the computer and what you did to clean it up. Failure to be specific about what you found and what was done to fix it may result in further delays before the computer is unblocked.

You can request that several computers be unblocked in one message.

Why wasn't I notified when my computer was blocked?

There are several possibilities. We notify the contacts listed in the address range database that the network engineering group maintains. This includes the DNA (Department Network Administrator), the secondary DNA (if listed) and any additional email contacts that are listed. Its possible that you are supposed to be listed as one of the contacts for the address range in question, but you aren't in the database for some reason. If you are a DNA, you can request updates by sending email to hostmaster@osu.edu.

If you are not a DNA, you wouldn't have received email directly, but the contacts for your address range would have been notified about the security issue and the block, and they should have passed the information on to you.

Isn't this a little harsh?

We don't think so.

See our answer to "Why do you block access to compromised computers?"

Look at it this way... In the overwhelming majority of the cases, when a computer is compromised it is because basic security precautions that should have been in place failed: a security related patch wasn't installed, the system wasn't running anti-virus software or it wasn't up to date or wasn't configured to scan in real-time, an account had a weak (or missing!) password, unneeded network services weren't disabled, there was no firewall (or it was configured poorly), or someone did something dangerous like executed an email attachment or a file downloaded from a peer-to-peer file sharing network.

Blocking access to and from compromised computers is the last line of defense. Its what we do when all of the other security mechanisms have failed (or were missing in the first place).

Some of the computers at OSU perform critical functions or hold extremely sensitive data. On the one hand, taking the computer out of service by blocking it may seem counter-productive, but it is preferable to do this and carefully examine the computer before putting it back into service than it it is to leave it vulnerable to further attack and abuse, possibly for a prolonged period of time.

Is there a difference between a block and a warning message?

CIO Security does differentiate between a BLOCK and a WARNING. BLOCKS prevent Internet access from an IP address, while WARNINGS indicate that a problem has been detected but Internet connectivity continues to be permitted. When a WARNING is issued device functionality is not impaired. However, the warning is serious, so the machine should still be located (and probably rebuilt).

If a warning goes unheeded, we do reserve the right to block the host, particularly if it is causing excessive network traffic or other problems. If we had actually blocked the machine, the subject line of the notification e-mail would have been: OSU-IRT has BLOCKED host nnn.nnn.nnn.nnn OSU-IRT#2008-04-24-yyy.

We refrain from blocking servers that organizations deem mission critical - instead we issue warnings when there are problems. To facilitate this arrangement, we operate a DO NOT BLOCK list.