Body
When UAH receives a notification of a possible or definite compromised account, the following procedures should be followed.
Note: If at any time you are unsure what to do, please contact the CISO or OIT Cyber Department.
Notifications fall into two tiers that Cyber refers to as "yellow" and "red".
Yellow Notifications
Yellow notifications are indications of possible compromise but are not a confirmation that a UAH account has been compromised.
Examples of Yellow tier notifications include but are not limited to:
- Login locations/times that the user cannot explain
- Password reset notifications that the user cannot explain
- Notification from a 3rd party about a breach of a non-UAH account with a UAH email (not a UAH account but an account set up using a UAH email as an identifier)
- Email from a 3rd party company notifying us of a possible breach of a UAH user account on their systems.
- Increased spam being sent from a UAH account
- Unknown applications installed or configurations changed
- Unexplained series of failed login attempts
In the event of a Yellow tier notification, the following actions should be taken:
| Category of the Account |
Action(s) to be taken |
Faculty
Staff
Contractor
Entity |
Reach out to the user/owner of the account and request a password change.
If the password is not changed in 48 hours, force the change using OIT Portal and notify the user. |
| Student |
Contact the student and request a password change. |
Red Notifications
However, there are some notifications and indications that a UAH account is likely or has a chance of being compromised.
Examples of Yellow tier notifications include but are not limited to:
- Unauthorized account usage or changes
- Unexplained student/employee record changes (mailing address, etc.). Note: this will kick off a larger investigation as we have reporting requirements if student personal data is confirmed compromised.
- Emails the user confirms they did not send
- Attempted unauthorized escalation of account privileges
- Creating unauthorized accounts
- New devices in Duo that do not belong to the user
- Notification from the user that they disclosed their password by clicking on a phishing link or responding to a phishing text or email
- Stolen hardware token such as a Duo token or Yubikey
- Stolen phone
- Notification from internal tools such as Active Directory or Crowdstrike
- Directive from UAH executive management, the HR Department, Office of Counsel, Chief Information Officer or Chief Information Security Officer
- Notification from a 3rd party that the UAH account is confirmed to be compromised. Examples include Google leaked password notifications and Have I Been Pwned notifications about the UAH account specifically
- MFA Fatigue or Duo Push Harassment notification from the user
In the event of a red-tier notification confirming a compromised account, take the following actions:
| Category of the Account |
Action(s) to be taken |
| ANY |
OIT should immediately change the account password using the OIT Portal.
Reach out to the user/owner of the account, positively confirm their identity and notify them of the actions taken. |
Notify the IT-SIRT at IT-SIRT@uah.edu of the issue and current status. The CISO or their designee may conduct a thorough investigation.
After changing the password:
- Examine the user's Duo account to make sure no new devices have been added without their knowledge.
- Examine the user's Google account to ensure no unauthorized devices or email forwards have been set up.