/
*Needs Updated - Compromised Accounts, Scrambled Passwords & STEAM-CIRTS

*Needs Updated - Compromised Accounts, Scrambled Passwords & STEAM-CIRTS

In this wiki:

  • About Compromised Accounts, Scrambled Passwords & STEAM-CIRTS

  • Compromise Reporting

  • STEAM-CIRT Process

  • STEAM-CIRT Call Scripts

  • STEAM-CIRT Customer Notes


Image result for free clip art suspicious

About Compromised Accounts, Scrambled Passwords & STEAM-CIRTS

What is a Compromised Account?

A user's account has been compromised when someone other than the designated user has gained access to the account.

Malicious Actors

95% of the time, this is by a 'malicious actor,' someone seeking to do harm to the user by means of either financial or data theft. Usually when a malicious actor gains access to an account, they will use that account to start sending out phishing emails in an attempt to gain access to other accounts. 

GeoLocation Flagging

IP addresses are tied to a physical location. A room, a building, a city, a state, a country, etc. Normally, accessing Purdue resources in one location, then moving to another location and accessing again is not an issue.

However, if these locations are unfeasibly distant within a short time frame, LA to London within an hour... it's assumed that it wasn't the same person in both locations... The activity is flagged, the account is assumed compromised, and the account is scrambled.

NOTE: This system can get false positives though. If a user is using a VPN to 'modify' their geolocation data (maybe to access video streaming services), it can trip up this system if you're jumping continents between sessions.

NOTE: Additionally, when users DO travel internationally (<12 days a year for most), accounts will tend to get flagged for that reason as well... which is not ideal)

Unauthorized Users

Unfortunately, a lot of users are not aware that giving out their password, or giving access to their account to other users (Purdue or non-Purdue) is against Purdue Policy, and potentially against FERPA Federal Law. 

If you are on a call or receive an email where you become aware that someone other than the designated user has the password or Boilerkey for an account. You should immediately take action to prevent this.

NOTE: If a user has a Power of Attorney (POA) ON FILE with IAMO, it is the ONLY exception to this policy. It DOES NOT MATTER if this person has Power of Attorney (like a parent), it's still Federal Law. Don't mess with it.

NOTE: That being said, if a person is a VIP or something... discretion may be advised, discuss with your supervisor.

If the user themselves is on the phone, help them change their password (or Boilerkey). If a 3rd party is in contact with you should flag the account as compromised. Again, if you have doubts, discuss with your supervisor.

What does "scrambling an account" mean?

When an account has been has been identified as compromised, by any of several methods (see below), the account is scrambled. Scrambling is the process by which the account is locked, frozen, blocked, etc. This prevents ANYONE from accessing the account (including the user themselves). Once the account is scrambled, it can only be recovered by the user by contacting the CSC and resolving the "STEAM-CIRT" ticket (see below).

Once initiated, scrambling consists of several steps:

  • The Career Account Password for the account is literally scrambled or 'randomized.' The password is replaced with essentially gibberish known to no one. so that no one can log in with this password.
  • The Boilerkey PIN# for the account is also scrambled.
    NOTE: Scrambled is not the same as cleared. Catbert will now show "NA" for the PIN# for the account. This does not mean  It must still be cleared to recover the account.
  • A STEAM-CIRT ticket is created in Footprints and will arrive in the CSC's DISPATCH queue for resolution by the CSC

What is a "STEAM-CIRT" ?

A STEAM-CIRT is a ticket created in Footprints by the Security Team whenever they scramble an account. These tickets will arrive in the CSC_DISPATCH queue, 



Compromised Account Reporting

Outgoing Mail

Incoming Mail

Geolocation Flagging

abuse@purdue.edu

Report Compromised Account Tool



STEAM-CIRT Dispatch Handling

Ticket Formatting

Queue Assignment


STEAM-CIRT Customer Contact

By Phone

By Email


STEAM-CIRT Resolution Process

Verify Identity via PPS

Complete the STEAM-CIRT Qualtrics Survey

Reset Password

Clear & Set Boilerkey PIN#

Secure O365 Mailbox


STEAM-CIRT Customer Notes

NOTE: If you're able to reach the user by phone right off the bat, just jump straight to the Ticket Closure Customer note.


STEAM-CIRT Initial Contact - Customer Note


This is the ITaP Customer Service Center at Purdue and we are informing you that the security team has detected activity on your account indicating that your Purdue Career Account has been compromised by a malicious actor, most likely with the intent of financial theft, or information theft. Your career account has been scrambled to lock out all access. To restore access to your account you'll need to call in to the ITaP Customer Service Center to re-secure your account.

Call us at our 24/7 service number 765-494-4000 to resolve.

Please 
reference your Issue # listed above if possible.


Thank you,

 

ITaP Customer Service Center
www.purdue.edu/goldanswers


For Tech Support:
West Lafayette: itap@purdue.edu or (765) 494-4000 24/7 service
Purdue Northwest:  csc@pnw.edu or (219) 989-2888
IUPUI:  ithelp@iu.edu or (317) 274-4357
Purdue Fort Wayne:  helpdesk@pfw.edu or (260) 481-6030


STEAM-CIRT Ticket Closure - Customer Note

Any generic closure message would work here, maybe remind them to go through their incoming/outgoing mail to check for any issues,




<ABOVE> new documentation in progress
<BELOW> existing documentation


A customer's password and BoilerKey PIN will become scrambled if the Security team has reason to believe that their career account has been compromised.

In order to minimize the impact, ITaP Security and Policy immediately scrambles a customer's career account password and BoilerKey PIN in an effort to protect them and Purdue from an unauthorized individual accessing information and systems that the customer is authorized to access. 

This, unfortunately, will cause them to be unable to log in to any system which uses their Purdue career account - this includes both their BoilerKey and their Purdue career account password logins.

One symptom the customer might see if their account has been compromised are suspicious emails, or an increase in the amount of spam email that they receive, prior to noticing that their career account no longer allows them to log in to any system.

Users often call in stating they could access a Purdue system earlier in their work or class day, but it has locked them out for reasons unknown. Check Footprints for a ticket history regarding a STEAM-CIRT before any further troubleshooting. 

Specialists Working Dispatch

Apply the 'CSC.Steam Cirt' quick issue template to the FootPrints ticket.

Change the 'User ID' field on the Contact Information tab in the ticket to the user ID of the account that has been scrambled. It will be listed in the ticket title and customer note.

NOTE: The information fields in the ticket may need to be cleared with the 'Clear' button above the 'User ID' text field, as it will often have the information of members of the Security team listed in full, despite the username being that of the compromised account.

Clicking 'Clear' will remove all text in the User information tab.

Representatives Working Dispatched Tickets

Attempt to contact the customer first by phone, and then by email.  Customer phone numbers can be found in Footprints, the Directory, or found by a Supervisor/Specialist in Banner.  

If leaving a voicemail message, ask the customer to call the CSC at (765) 494-4000 to restore access to their account. They will need to provide information pass an ID verification.

NOTE Be sure to reference the STEAM-CIRT ticket number when leaving a voicemail message.

If you are not able to reach the user by phone, or if there is no phone number, please mark the ticket "Resolved > Referred to" and use the following customer note to contact the customer:

Customer Note Example

Our security team has identified your Purdue Career Account has been compromised by an outside entity. Access to your account has been scrambled to prevent further intrusion.

You will need to call in to regain access to your account. This will require ID verification, so we cannot do that over email. If you cannot call in by phone, arrangements will need to be made to schedule a WebEx meeting with one of our team members.

At your convenience, please call into the 24/7 ITaP Customer Support Center at (765) 494-4000. If we are experiencing a high number of calls at the time of your call, you may be put on hold, please stay on the line to speak with an associate to resolve the issue. Leaving a voicemail will not advance your issue towards resolution.

This ticket will be held in a resolved state until we receive your call.

Thank you,
 <your first name here>

ITaP Customer Service Center

When the user calls in, upon researching the ticket number, the Representative or Specialist should first click the link to the Qualtrics survey at https://purdue.qualtrics.com/SE/?SID=SV_aWW1EAM5JujrKxD and read the questions aloud to the customer. 

NOTE: This survey should also be linked in each STEAM-CIRT ticket's tech notes.

Make sure to gather the customer's user name and enter it into the survey when prompted.  

NOTE: Once a Specialist or Representative has reestablished access to the user's account, they should check and verify their bank account information in SuccessFactors, forwards and rules in their email, etc. to confirm no changes were made to their personal information.

Spammers will usually set rules in email inboxes to forward emails to an outside address, or automatically delete incoming emails so that even though the user recovers control of their inbox, it may appear as though they are not receiving emails.

BoilerKey PIN resets can also be forgotten when assisting a user with a reset password. This can cause confusion and repeatedly reopened tickets for frustrated users. Ensure that both of these are completed prior to Resolving the ticket.

EXAMPLE: malicious mailbox rules



Once the survey has been filled out, it should be noted as such in the STEAM-CIRT tech notes.

The Specialist or Representative should then follow normal career account password reset and BoilerKey PIN issuance procedures. 

Mark the ticket as Resolved once the user has confirmed they can again access their accounts, and have not had their information compromised (mail rules, bank changes, etc).

Related content

*Needs Updated - STEAM-CIRT Call Scripts
*Needs Updated - STEAM-CIRT Call Scripts
More like this
*Needs Updated - HOW TO
*Needs Updated - HOW TO
More like this
(relevant?)OnePurdue ADUC & Lockout Status Tool
(relevant?)OnePurdue ADUC & Lockout Status Tool
More like this