MODULE 1: INCIDENT & INITIAL RESPONSE (9-10 AM)
Event 1: 3am November 2nd 2015
At 3am a disgruntled ex-employee entered Feldberg - he were terminated on October 30th and his card access had not yet be terminated so he was able to enter the building and all LTS communications rooms and data centers.
Once in the building he took a crow bar and smashes the CISCO ACE 30 load balancer impacting Moodle services and then he pulled the alarm bar and turned off building power (by pressing the circuit disconnect in room 104A).
Event 2: 3:15am November 2nd
Brandeis University police arrive and seeing the smashed equipment quickly disable the alarm and declare the data center a crime scene. The police do not allow anyone to touch the core power switch for the building until a fingerprint expert arrives and tests the switch for fingerprints.
Event 3: 5am November 2nd
After hiding in the Library for the last couple of hours, the ex-employee made his way to the Goldfarb data center and physically removes the CISCO ACE 30 in this data center. This load balancer is also crushed and left on the floor in pieces.
Current Situation
Anyone who feels they would have already been engaged in the incident should summarize what they believe their actions would have been.
Inject 1, 9am: The LTS Helpdesk opens to a queue of 100 messages from students reporting that they are unable to log into Latte. 30 similar messages are from faculty who have early morning classes and are unable to access Latte.
Inject 2, 9:45: Social media is describing some sort of event requiring law enforcement on campus and the first calls from worried parents are starting to come in. The main Brandeis website (www.brandeis.edu) is seeing an increasing load. (nb: this inject will primarily be of significance to the communications staff and the leadership team).
Planning Considerations:
The following services are affected (i.e., "in play"):
· Latte
· Feldberg and Goldfarb data center
The following services are unaffected (i.e., "out of play"):
· DNS
· Internet connectivity
· Other systems running on the virtualized infrastructure
Module 1: Discussion Questions
MODULE 1 : DISCUSSION QUESTIONS
Group
1. In an actual incident, what would have taken place by the time of the exercise kick-off?
Based on the information presented, what are your top priorities at this time?
University Services
What processes or procedures would you implement in response to the situation presented? What procedures are in place to access the environmental hazard from the liquid in Goldfarb?
1. Who would you look to coordinate your response?
2. Who or when would you engage the University's leadership?
Library and Technology
1. What alarms or monitoring would have been triggered by the incident as described?
2. What plans, policies, and/or procedures are in place to prevent or respond to a large-scale service interruption?
What information sources could you contact to get further information about this service interruption?
4. Due to the information presented, would there be any immediate operational changes in your department? Would this involve a change in security protocol, either physical or logical?
Academic Units
1. How would you expect to first hear about the incident?
2. What procedures or communications might you undertake once learning about the incident?
Communications
When would you expect to be notified?
2. Is this protocol discussed in the Brandeis Crisis Communications Plan? Has this plan been provided to communications liaisons university-wide? Are they aware of the protocol?
Public Safety
1. What coordination among departments is necessary at this point?
2. Due to the information presented, would there be any immediate operational changes in your department? Would this involve a change in security protocol, either physical or logical?