{"id":24129,"date":"2021-07-14T08:00:00","date_gmt":"2021-07-14T12:00:00","guid":{"rendered":"https:\/\/michigan.it.umich.edu\/news\/?p=24129"},"modified":"2024-07-08T06:04:30","modified_gmt":"2024-07-08T10:04:30","slug":"checking-systems-for-signs-of-compromise","status":"publish","type":"post","link":"https:\/\/michigan.it.umich.edu\/news\/2021\/07\/14\/checking-systems-for-signs-of-compromise\/","title":{"rendered":"Checking systems for signs of compromise"},"content":{"rendered":"\n
\"\"<\/figure><\/div>\n\n\n\n

Almost all IT professionals at some time in their career have faced the question of whether or not a system they are responsible for has been compromised, and many people face this worry with their own tech as well. ITS Information Assurance (IA) provides help checking UM-owned systems and guidance that can be useful for checking any computer.<\/p>\n\n\n\n

If a system contains sensitive U-M data and you suspect it has been compromised<\/strong>, report it immediately to ITS IA at security@umich.edu<\/a>. If the situation is urgent, please indicate that clearly in your report.<\/p>\n\n\n\n

Do not install or alter software on your system while waiting for IA to respond! Disconnect the system from any networks by unplugging the ethernet cord or turning off the WiFi.<\/em><\/p>\n\n\n\n

CrowdStrike Falcon and detection on U-M computers<\/strong><\/h2>\n\n\n\n

If the system in question is a UM-owned computer and has CrowdStrike Falcon endpoint protection installed, contact your unit’s Falcon administrator. Your unit’s Falcon admin can check for detections or incidents for the system and may also suggest a course of action and contact ITS Information Assurance (IA) for more assistance.<\/p>\n\n\n\n

If you have U-M systems that do not yet have Falcon installed, contact your unit Falcon administrator or ITS IA for assistance getting it installed. Not sure who your Falcon admin is? Contact your Security Unit Liaison<\/a> (SUL) to find out.<\/p>\n\n\n\n

What to look for<\/strong> if you suspect your system has been compromised<\/h2>\n\n\n\n

Start by checking system and software logs for the following components to be sure they are running as expected and there are no unexpected configuration changes to them:<\/p>\n\n\n\n