What to do in an Emergency
If you have detected or encoutered a security event, there are four basic steps to take:
- Don't panic:
Security events develop and spread quickly. Panicking now and taking hectic actions is usually worsening the situation. If any damage has been done, it has been done already by now;
- If this concerns a device, keep it connected and leave it "on":
Do not disconnect the system/service/device from the CERN network by pulling out its Ethernet cable or by disabling the wireless adapter. Do not switch the power off !!! - If this concerns an account, Reset your password:
Do so via the CERN account portal. You might be asked to reset it again once that event has been understood;
- Contact the Security Team:
Computer.Security@cern.ch or call 70500 (+41 22 767 0500) from inside (outside) CERN. Details as well as our PGP key can be found here. The CERN CSIRT team will adhere to the procedures outlined in the Letter of Intent (LOI) for conducting remote forensics, if necessary.
- Don't touch anymore:
Wait for instructions before taking any further actions. Depending on the impact, we might have to understand the event in detail. Uncoordinated actions might destroy evidence.
The Security Team will discuss further steps with you and also get involved other stakeholders if necessary. Together, we will assess the impact and consequences of the security event, and investigate the origin of the security event. Depending on the results of these forensic analyses, further systems/services/devices/accounts might turn out being affected, and the Security Team will follow up with the corresponding persons responsible. Once the security event has been properly understood, it is up to the systems/services/devices/accounts owner to reestablish an operative state.
Usually this means:
- Reinstalling a system/service/device from scratch;
- Change all credentials of an account;
- Review and correct vulnerable software and applications.