We believe that the possibility of a data breach or compromise is very low at this time however we recommend that all users take additional steps from an abundance of caution perspective. Those steps include 1) if you have access as an administrator to a system change your password(s) after you have verified that the vendor supporting your system has patched it appropriately, 2) increase your effort to mitigate those vulnerable systems identified on the weekly Nessus vulnerability report available at https://silo.dpo.uab.edu/vulnreport (if you need assistance please call Information Security at 205-975-0482), 3) please ensure that all systems that use SSL encryption services are fully patched, then restart the service on that system, 4) replace all SSL certificates on those systems with one provide free of charge from UAB IT from www.uab.edu/uabcrt (certificates from UAB are vetted, patched and kept up to date), 5) change all privileged account passwords immediately after vendor patches have been applied, and 6) be aware that many network devices and printers have embedded SSL based encrypted web based access portals which should be updated with vendor patches to mitigate this vulnerability.
We also recommend that all users with privileged access change their BlazerID passwords immediately as a precaution to mitigate any possible exfiltration of sensitive data by the OpenSSL vulnerability. And we also recommend that users change their personal passwords which they may use to access personal non-UAB web sites such as on-line banking and others to assist in reducing the possibility of becoming a cybercrime victim.
If you need additional assistance, please call AskIT at (205) 996-5555.
Windows 8 is not recommended for campus use at this time. However, if you have to support a Windows 8 portable device, it must be encrypted. At this time, BitLocker is available to accomplish this task on all Windows 8 portable devices that have a TPM chip and do not run on an ARM platform (such as a Windows 8 RT tablet). Windows 8 devices that run on an ARM platform or those that do not have TPM chips should not be used.
UAB Policy requires all laptop/portable devices owned by UAB or UAB businesses and all personal laptop/portable devices used for UAB business be encrypted. PGP, UAB’s current encryption tool, does not work on Windows 8 and Symantec has not yet set a support date for Windows 8.
BitLocker is an acceptable alternative to encrypt Windows 8 system drives in some circumstances. In the past, BitLocker has been recommended when PGP was incompatible with Windows 7 or specific BIOS versions. Systems that are currently encrypted with PGP should remain encrypted via PGP. UAB IT is currently researching BitLocker key management solutions and will issue further guidance as available, but in the mean time, BitLocker should be installed using the non-enterprise setup method below.
Non-Enterprise BitLocker Setup
Recommendations for using BitLocker
- Password set system BIOS
- TPM chip in the device
- You must take ownership of the TPM chip
- Before updating the BIOS, BitLocker must be suspended
- Escrow the key in some manner
- Professional/enterprise version of Windows
- Use a TPM + PIN authentication method
- System must be formatted NTFS with two volumes
Escrowing the key
With Windows 8, you may escrow the key in one of the following ways:
- Save the recovery key to a USB flash drive This method saves the recovery key to a USB flash drive. This option cannot be used with removable drives.
- Save the recovery key to a file This method saves the recovery key to a network drive or other location.
- Print the recovery key This method prints the recovery key, but it is not recommended.
It will be up to the department to maintain the escrow recovery keys.
- Isolate the device
Make sure the system is disconnected from the network. This is to protect UAB from any additional impact from the incident.
Determine the affected data.
Confirm whether or not sensitive data was housed on the compromised device. This includes employee, student, patient, or research data. Determine if any sensitive data was inappropriately accessed. If so, immediately escalate to both your local management and the UAB Data Security (https://silo.dso.uab.edu/incident or call 205-975-0842).
If sensitive data is at risk, do not perform additional activity until you have spoken with Data Security.
- Perform Root Cause Analysis
Establish the reason that the system was exploited. Ask yourself these questions:
- Did an end user install something harmful?
- Was it caused by a weak password?
- Was the system missing a patch?
- Remediate the issue
The best way to restore a compromised machine is frofm a trusted backup or to do a clean installation. Even what used to be routine virus infections have become so advanced that we cannot trust a system once it's been infected.
Perform password changes for end users and any administrators that may have used the system as well. This includes BlazerIDs and other accounts such as websites that were accessed from the compromised machines. Local Administrator passwords should also be changed.
- Reconnect to the network
Once the system has been properly remediated, UAB Data Security, in conjunction with the HIPAA Security Office, will reconnect the machine to the network. This process can take up to 24 hours after the initial request.
If you receive a notice saying the machine was compromised, the best way to get reconnected is to reply to that email.