Types of Incidents and Level of Support

UniMS-CERT is authorized to address all types of IT security incidents or issue which occur, or threaten to occur, related to the University of Münster.

The level of support given by UniMS-CERT will vary depending on the type and severity of the incident or issue, the type of constituent, the size of the user community affected, the affected systems and UniMS-CERT's available resources at the time. Resources will be assigned according to the following priorities, listed in decreasing order:

  • Threats to the physical safety of human beings.
  • Root or system-level attacks on any central IT-management system or any part of the backbone network infrastructure.
  • Root or system-level attacks on any large public service machine, either multi-user or dedicated-purpose.
  • Compromise of restricted confidential service accounts or software installations, e.g. accounts or systems used for central administration.
  • Denial of service attacks on any of the above three items.
  • Any of the above, originating from University of Münster and concerning foreign systems.
  • Large-scale attacks of any kind, e.g. sniffing attacks, social engineering attacks, password cracking attacks.
  • Threats, harassment, and other criminal offenses involving individual user accounts.
  • Compromise of individual user accounts on multi-user systems.
  • Compromise of desktop systems.
  • Forgery and misrepresentation, and other security-related violations of local rules and regulations, e.g. copyright infringements or e-mail forgery.
  • Denial of service on individual user accounts, e.g. mailbombing.

Types of incidents other than those mentioned above will be prioritized according to their apparent severity and extent. Classification of incidents is loosely adapted from Trusted Introducer (TI) Incident Classification.

Incident response distinguishes between on site systems and off site systems:

  • Intranet: As soon as the UniMS-CERT receives an indication of an incident regarding employee computers, it attempts to contact the technically responsible person by telephone in order to coordinate the necessary measures with him and, if necessary, the shutdown of the computer. If no person in charge can be reached, the computer is disconnected on the network side and the technically responsible person as well as the responsible IT support unit (IVV) are notified by email with information about the incident and the measures to be taken.

  • Remote access: In case of incidents in the remote access area (VPN, WIFI, etc.), a possibly active connection is disconnected directly and a dial-in blocking is set until the issue is resolved. Other functions such as e-mail, exam registration or use of university computers are not affected by the blocking. An e-mail will also be sent with exact information about the nature of the incident and the measures to be taken for unblocking the remote access.

In general no direct support will be given to end users. They are expected to contact the responsible system administrator or IT security officer (IV-SB [de]) of their IT support unit (IVV), the IT user support or their department head for assistance. UniMS-CERT will support the latter group of people.

While UniMS-CERT understands that there exists great variation in the level of system administrator expertise, and while the team will endeavor to present information and assistance at a level appropriate to each person, UniMS-CERT cannot train system administrators on the fly, and it cannot perform system maintenance on their behalf. In most cases UniMS-CERT will provide pointers to the information needed to implement appropriate measures. System administrators should contact the IT security officer (IV-SB) of their department for further support.

UniMS-CERT is committed to keeping the IT security officers (IV-SB) and the group of system administrators informed about potential vulnerabilities, and where possible, will inform this community via the internal mailing list iv-sicherheit@uni-muenster.de of such vulnerabilities before they are actively exploited.