Overview 
We know you are concerned about protecting your computer and information and take steps to secure them. However— just like driving a car —no matter how safely you drive, sooner or later you may have an incident. On this page we will teach you indicators of behavior that can be considered incidents, and if so what you can do about it. Ultimately, the quicker you detect computer anomalies and the faster you respond, the better you can mitigate any harm to you or your organization.

Incident behaviors
First, you need to understand that in many cases there is no single item or step. Instead there are usually several indicators. If you identify a combination of these, this implies your computer may be under attack. Here are some examples.
    
•    Your anti-virus program has triggered an alert that your computer is infected, particularly if it says that it was unable to remove or quarantine the affected files.
•    Your browser’s homepage has unexpectedly changed or your browser is taking you to websites that you did not want to go to.
•    There are new accounts on your computer that you did not create.
•    There are new programs running that you did not install.
•    Your computer is continually crashing or running very slow.
•    A program on your computer requests your authorization to make changes to your system, although you’re not actively installing or updating any of your applications.
•    Your firewall alerts you that a program you do not recognize is requesting permission to access the internet.
•    Your mouse or cursor seem to move on their own as if they are being controlled by someone else.

How to Respond
If you believe your computer is being targeted, the sooner you respond, the better. If the computer you are using was provided to you by your employer or is used for work, do not try to fix your computer yourself and do not turn the computer off. Not only you may cause more harm than good, but you could destroy valuable evidence that can be used for an investigation. Instead, follow these steps:
•    Stop all work and do not use your computer until advised otherwise. 
•    Call your campus IT Security Office or Help Desk and follow their instructions. 
•    Inform the representative of all you can recall. 
•    Inform the representative of the nature of your work and if you access data that is considered confidential or highly confidential, or if you access data that is subject to compliance requirements.
•    If for some reason you cannot contact your organization, or you are concerned about a delay, disconnect your computer from the network and then put it in sleep, suspend or hibernation mode. 
 

Even if you are not sure you have been targeted, it is far better to report now just in case. Your campus has processes and a team in place to handle situations like this, let them handle it. Please also do this if you use your personal computer to perform your work duties.

These steps may seem trivial, but each step is important to quickly and accurately determine the nature of the behavior and the impact on you, your campus, and the university as a whole.

This months content adapted from SANS OUCH newsletter located here: https://www.sans.org/security-awareness-training/ouch-newsletter

Need Help?





UCCS Help Desk
CU Denver & Anschutz Help Desk CU Boulder Help Desk CU Information Systems Help Desk

719.225.3536

helpdesk@uccs.edu

303.724.4357

 UCD-ITS-HELPDESK@ucdenver.edu

303.735.4357

help@colorado.edu

303.860.4357

help@cu.edu