Procedure in the event of an security incident
- Disconnect the computer from the network as soon as possible. Do not log in remotely or as administrator!
- Notification to IV security officer (see list of IV security officers [de])
- If the problem cannot be corrected or the IVV is not available: Notification to WWU-CERT (see below)
- If there is a major incident that may affect the whole WWU, report with the word "alert" in the e-mail subject to IVV-Admin-Mailinglist.
- Clarify the cause of the incident.
- Change all passwords of the affected persons.
- Identify other possibly infected computers.
- Provide infected computers with a new operating system image. Reliable clean-up is often not possible.
- If necessary, restore data.
- Depending on the severity of the incident: Closing meeting. What can be improved?
IT Security Incident Reporting
Please report any incident via email to email@example.com.
To report possible phishing or spam messages related to WWU the special address firstname.lastname@example.org can be used.
Incident reports should contain the following information to ensure fast investigation and remediation:
- Incident date and time (including time zone)
- Source IPs, ports and protocols (where applicable)
- Destination IPs, ports and protocols (where applicable)
- Incident description and further details
Preferable the report should also include related log files in a common format, e.g. Syslog or Common Event Format (CEF). When forwarding suspicious email messages, e.g. spam or phishing, please make sure to forward them as attachments so that all email headers are included.
In case of reporting discovered vulnerabilities we ask that common responsible disclosure guidelines will be followed:
- No abuse of said vulnerability
- End-to-end encryption when transmitting sensitive data
- No disclosure of the vulnerability to other parties until the problem is resolve
All reports will be treated confidentially.
Emails containing sensitive data should be (endt-to-end) encrypted with one of the following methods:
Inquiries via phone can only be answered to legitimate persons within University of Münster. Please contact the responsible CERT members or the Hotline (Tel. 31900). When inquiring via email, please use you university's email address and mention, if available, the WWU-CERT case number. The WWU-CERT's hours of operation are generally restricted to regular business hours (Mo-Fr 08:00-17:00, except holidays).