Versions Compared

Version Old Version 21 New Version Current
Changes made by

ajmankey

lawsonsc

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This script is intended for use in one of three scenarios,

  1. User has called in "I can't log in" or "My password doesn't work" or "My account got scrambled," etc  & you find a STEAM-CIRT on their account.
  2. User calls in "My account got hacked," or "My account is sending out spam, etc. If you can find a STEAM-CIRT for their account, proceed with that one. If not, scramble the account, create a new ticket, and proceed
  3. You've received a ticket, have called out to contact the compromised user, and have reached them

NOTE: This is the STEAM-CIRT process that I use, it's what works best for me. I go this route to avoid syncing delays, or different steps that users have trouble with that can be speed bumps.  Maybe something different will work better for you? It's just a starting point.

6/30/22: Updating now that MFA is enforced by default


Panel
borderColorgreen
titleColorgreen
borderWidth2
titleBGColorpalegreen
borderStylesolid
titleSTEAM-CIRT Call Script (REPS)

CSC STUDENT REPRESENTATIVES, this is the 'Call Script' that you should be using whenever you are resolving a STEAM-CIRT ticket by phone. 

NOTE: Once you're up to speed on this process, you do not have to have this script up on screen every time you're doing it, however, YOU ARE RESPONSIBLE for making sure that EVERY critical step in this process is completed prior to the resolution of the STEAM-CIRT ticket.

1) Verify Identity via PPS

2) Complete the STEAM-CIRT Qualtrics Survey

NOTE: To save time on the next step, you may want to generate the Setup Password in the background while going through the Qualtrics survey with the user.

  • On your own computer, open the the Qualtrics STEAM CIRT survey
    NOTE: The link to the survey can also be found in the tech notes of the STEAM-CIRT
  • Complete the survey, by reading off the questions to the user, and recording their answers.
Set Temporary Password via Active Directory

3) Set a new Career Account Password via Account Setup Reset Tool

NOTE: You can instead use the AccountSetupReset tool to have them set a password here, but you may way up waiting up to half an hour for it to sync to O365

NOTE: To save time, I do this you may want to generate the Setup Password in the background after PPS, while going through the Qualtrics survey with the user.

Specs can use AD to set a randomized temporary password
NOTE:I go this route of tempPW then PW to avoid sync delays, and some speedbumps. Do what works best for you.

.

Reps will need to use AccountSetupReset tool instead

  • Direct the user to purdue.edu/accountsetup
  • Have them fill in the first two blanks, PUID & Date of Birth
    NOTE: They must match the example formats on the right EXACTLY
  • Generate a new Career Account Setup Password via https://www.purdue.edu/apps/account/AccountSetupReset
  • The previous password has been compromised, it's critical that you emphasize that they discontinue using this password (or variations of it) for ANY account.
  • Once their information is in, they should be able to proceed to the next page and set a new Career Account Password
  • NOTE: The requirements listed on the webpage are out of date, current password requirements can be found here.
    NOTE: They only need this first page of the AccountSetup, they do not need to complete it
    • If they receive an error from this webpage:
      NOTE: NEARLY every error on this page is going to be misleading, or at least not helpful
      • Double-check that they were inputting all the information correctly, and have them try again
      • If it still fails, open an incognito window in your browser, try the inputs yourself, if it works... they didn't type something right, have them try again
        • If it still fails, contact the Specialist on Point,
        • If they are not available, post an @Specialist message in the #general Teams channel
        • If that also fails, start pinging individual Specialists, preferably NOT ones on a call
  • Have them leave the AccountSetupReset tool, and continue below with the new password
Set

4) Recover their Boilerkey

PIN#

via their Boilerkey Page

Set their Boilerkey PIN#

  • Direct the user to visit their Boilerkey page, www.purdue.edu/boilerkey
  • Have them click on the "Manage" button in the middle to get to the CAS login page
  • Supply them They should log in with the Temporary Password new password from above, they'll need to log in with either:
    • PW,push
    • PW,6-digit-passcode
    • If neither work, try PW,BYPASS and troubleshoot further
  • Direct them to set a new Boilerkey PIN# by clicking to click on "Set your BoilerKey PIN" next to the key icon, below the green square.
    NOTE: They CAN use the same PIN as before, but it's usually advised to change them periodicallySHOULD use a different PIN# than before.
  • Once the PIN# is set, they'll be dropped back on the Boilerkey homepage.

Test their Boilerkey

  • Have them click on "Test your BoilerKey" next to the key icon.
  • Have them test to make sure their Boilerkey is working normally again.
    NOTE: Especially due to COVID, it's important than ever that everyone knows how to log in via PIN#,6-digit-passcode

Enable Boilerkey Self-Recovery

  • Have the user click on "Boilerkey Self-Serve" under the black bar at the top of the page.
    NOTE: To avoid more CSC calls in the future, it's important to make sure everyone has activated the Boilerkey Self-Recovery-Tool, might as well do it while they're here.
  • Next to the ambulance icon, have them click "Enable BoilerKey Self-Recovery via text messaging"
  • They'll need to confirm their cellphone number via text message.

5) Secure their O365 Mailbox

NOTE: If you set a tempPW via AD, and 'stalled' a bit by demoing PIN#,CODE, and enabled SRT... USUALLY their tempPW has synced to O365 by nowHopefully by this point, their new password will have time to sync to O365... Otherwise, prepare to wait... syncing a PW to O365 via AccountSetupReset can take up to 30 minutes.

  • Direct the user to open a new tab, and navigate to the O365 portal, the direct URL input is portal.office.com
    NOTE: Do this on the O365 web portal via computer, do not do it via a mail client, app, or mobile device. It MUST be done on a non-mobile browser.
  • Have them log in via their username@purdue.edu
    NOTE: If they have a vanity email, their email and username will not match, needs to be their username, followed by @purdue.edu
  • For their password, use the new career account password set above
  • If prompted to register for MFA, walk them through that process, using the Microsoft Authenticator App is STRONGLY encouraged.
    Otherwise, they'll just authenticate MFA normally.
  • Once into O365, have them navigate to Outlook (Blue envelope icon on the left with an 'O')
  • Have them click the gear icon in the upper right corner, and then "View all Outlook settings" at the bottom of the sidebar
  • Open the "Rules" tab on the left
    • Have them review or read off the rules listed. It's usually pretty obvious if a rule is legitimate or not.
    • Have them remove any malicious rules
  • Open the "Sweep" tab on the left
    • Have them remove any sweep rules that they didn't create
  • Open the "Forwarding" tab on the left
    • If there's any forwarding rules set to addresses that they don't recognize, have them remove them
  • Tell them that they'll want to follow up after the call and review any sent, received, or deleted emails to see if there's any issues that need to be addressed.
  • Additionally, if they used their purdue.edu email account as the recovery email for any other accounts, they should re-secure those accounts as well after the call.

Resolution

  • End your call and resolve the ticket.









Image Added



Image Added



Image Added

CSC SPECIALISTS, since REPS don't have AzureAD access, you may need to back them up by changing MFA settings for them (after user identity has been confirmed).



Panel
borderColorgreen
titleColorgreen
borderWidth2
titleBGColorpalegreen
borderStylesolid
titleSTEAM-CIRT Call Script (SPECS)

CSC SPECIALISTS, this is the 'Call Script' that you should be using whenever you are resolving a STEAM-CIRT ticket by phone. 

NOTE: Once you're up to speed on this process, you do not have to have this script up on screen every time you're doing it, however, YOU ARE RESPONSIBLE for making sure that EVERY critical step in this process is completed prior to the resolution of the STEAM-CIRT ticket.


1) Verify Identity via PPS

MFA*) Notify an MFA liaison about your call

  • During the MFA enrollment rollout, starting September 2021, you may be tasked with assisting your caller with their MFA enrollment
  • Be prepared to enroll your user in MFA via these directions, *Needs Updated - Manual Enrollment Using Azure AD
    NOTE: But do not turn on MFA at this point in your call, this is just to get it ready.

2) Complete the STEAM-CIRT Qualtrics Survey

  • On your own computer, open the Qualtrics STEAM CIRT survey
    NOTE: The link to the survey can also be found in the tech notes of the STEAM-CIRT
  • Complete the survey, by reading off the questions to the user, and recording their answers.

3) SPEC ONLY Set Temporary Password via Active Directory

NOTE: To save time, I do this in the background after PPS, while going through the Qualtrics survey with the user.

  • Specs can use AD to set a randomized temporary password
    NOTE:I go this route of tempPW then PW to avoid sync delays, and some speedbumps. Do what works best for you.
    NOTE:     You can instead use the AccountSetupReset tool to have them set a password here, but you may way up waiting up to half an hour for it to sync to O365.
  • Relay the randomized password to your caller.

4) Set Boilerkey PIN# via their Boilerkey Page

  • Direct the user to visit their Boilerkey page, www.purdue.edu/boilerkey
  • Have them click on the "Manage" button in the middle to get to the CAS login page
  • They should log in with the new password from above, they'll need to log in with either:
    • PW,push
    • PW,6-digit-passcode
  • Direct them to set a new Boilerkey PIN# by clicking to click on "Set your BoilerKey PIN" next to the key icon, below the green square.
    NOTE: They SHOULD use a different PIN# than before.
  • Once the PIN# is set, they'll be dropped back on the Boilerkey homepage.
  • Have them click on "Test your BoilerKey" next to the key icon.
  • Have them test to make sure their Boilerkey is working normally again.
    NOTE: Especially due to COVID, it's important than ever that everyone knows how to log in via PIN#,6-digit-passcode
  • Have the user click on "Boilerkey Self-Serve" under the black bar at the top of the page.
    NOTE: To avoid more CSC calls in the future, it's important to make sure everyone has activated the Boilerkey Self-Recovery-Tool, might as well do it while they're here.
  • Next to the ambulance icon, have them click "Enable BoilerKey Self-Recovery via text messaging"
  • They'll need to confirm their cellphone number via text message.

5) Secure their O365 Mailbox

NOTE: Hopefully by this point, their new password will have time to sync to O365... Otherwise, prepare to wait... syncing a PW to O365 via AccountSetupReset can take up to 30 minutes.

  • Direct the user to open a new tab, and navigate to the O365 portal via your preferred method,
 
  • the direct URL input is portal.office.com
    NOTE: Do this on the O365 web portal via computer, do not do it via a mail client, app, or mobile device. It MUST be done on a non-mobile browser.
  • Have them log in via their username@purdue.edu
    NOTE: If they have a vanity email, their email and username will not match, needs to be their username, followed by 
@purdue
temporary
  • new password from above
  • Once into O365, have them navigate to
outlook
  • Outlook.
  • Once they've successfully logged into O365 enable MFA for this user.
  • Have them click the gear icon in the upper right corner, and then "View all Outlook settings" at the bottom of the sidebar
  • Open the "Rules" tab on the left
    • Have them review or read off the rules listed. It's usually pretty obvious if a rule is legitimate or not.
    • Have them remove any malicious rules
  • Open the "Sweep" tab on the left
    • Have them remove any sweep rules that they didn't create
  • Open the "Forwarding" tab on the left
    • If there's any forwarding rules set to addresses that they don't recognize, have them remove them
  • Tell them that they'll want to follow up after the call and review any sent, received or deleted emails to see if there's any issues that need to be addressed.
  • Additionally, if they used their purdue.edu email account as the recovery email for any other accounts, they should re-secure those accounts as well after the call.

6) MFA Enrollment

NOTE: More direction will probably be needed at some point, but see what you can do on your own?

  • Direct the user to sign out of O365
  • Then sign back in, and they should then see this screen:

  • Image AddedOnce prompted during Step 1: How should we contact you? they'll want to select the option for "Mobile App" for authentication, and then "Receive notifications for verification"

Image Added

  • THEORETICALLY, they should be able to follow through and complete the on screen prompts without much assistance.
  • Advise them that already established mail profiles (like on mobile devices) usually can't make the transition over to MFA from 1FA, so you'll want to remove the email from your mail client on your phone, then readd it to enable MFA security. Or, if preferred, you can switch over to using the Outlook Mobile App for your email and calendar services."
  • If you have any issues, reach out to the MFA Liasion you contacted above.
  • Once complete, please detail how the MFA enrollment went in the Tech Notes portion of your ticket, and pass along the same information to the liasion
  • They will now be using MFA for their O365 logins, but since it employs 'trusted devices' they will only have to authenticate via MFA once every 14 days.

7) Set Password via apps/account

NOTE: If you set a tempPW via AD, they'll need to go back and set a new Career Account Password now.

  • Direct the user to the apps/account page, purdue.edu/apps/account
    NOTE: Since they're already logged in with Boilerkey, they can set their password via their Boilerkey credentials
    NOTE: If they still have the Boilerkey tab open from above, they can just click on the "User Account Information" link at the top of that page.
  • In the lower right panel, click the "Reset Password" link near the bottom right.
  • Have them set a new password, make sure they get the confirmation message, and then they're done.

Resolution

  • End your call and resolve the ticket.
Image Removed