UNF IT Security has many different processes in place for incident response. A few of these processes can be seen below. All incidents can be reported by contacting the UNF ITS Help Desk 904-620-HELP (4357), or by emailing ITSecurity@unf.edu
In the event of a malware detection warranting ITS intervention, the IT Security team procedures require that the device be removed from the network within 3 business days and subsequently reimaged using the latest campus client OS image. The technician remediating the incident should note the time the machine was removed from the network in the ticket and confirm that was the last time the user logged into that machine. Once the user is no longer using the infected machine, the technician shall change the user's UNF domain password and recommend changing any other passwords used on this device as they could also be compromised.
Suspicious Login Activity
There are many Indicators of Compromise (IoC) that UNF IT Security is alerted to daily. Incidents include but are not limited to:
- Non-confirmed foreign employee travel
- Impossible travel - A UNF account logging in from 2 or more countries without sufficient travel time
- Excessive login attempts to UNF resources
- Illegal activity (I.E. Denial of Service, Brute Force, Scanning, etc.)
IT Security will disable a UNF account if any of these alerts or others are triggered where the activity was not previously approved by IT Security or protected by 2FA. Planned foreign travel can be added to a whitelist automatically or manually. Automatic whitelisting occurs when UNF employees book foreign trips with the UNF travel system Concur at least one day before departing. For foreign travel booked outside of Concur (including personal trips), requests for manual whitelisting can be made by communicating with your C-Tech, creating a ticket with the UNF ITS Help Desk 904-620-HELP (4357), or by emailing ITSecurity@unf.edu
2FA Fraud Reports and Lockout
These actions are treated as IT Security incidents:
- If there is an excessive number of consecutive failed authentication attempts to a user's account, the account will become locked out. The account will be instantly disabled in the 2FA system and will automatically return to active status after a given period of time. If the user needs access inside of that window during business hours, the user will need to contact the UNF Help Desk 904-620-HELP (4357).
- If a user denies a Duo authentication and selects to report it as fraudulent, IT Security will reset the UNF account password to a random value. The user will need to reset their password via Login Help.
There are a few reasons this could occur:
- An attacker has your UNF password and is trying to guess the 2FA passcode or get your to accept the Duo push.
- The 2FA device is not enrolled correctly and needs to be updated and re-enrolled.