How to Respond to a Ticket about a Compromised Device on the ResNet Network

Occasionally the ISO office might open a ticket (via ServiceNow) about a compromised device on the ResNet (the student network). CSG has some visibility into the network via InfoBlox and the NOC MyNetwork portal (https://mynetwork.noc.ucdavis.edu/cgi-bin/netadmin.pl) however we have really no power to take action other than trying to identify where the device might be located on the network (if it’s still attached). The ISO typically will give the device name, IP address it was using (a DHCP address subject to change), and MAC address, which are helpful in determining what VLAN it is/was on.

 Instructions

You can try to locate it if it still happens to be on the network, and document that in the ticket. You can narrow down the ResNeT VLAN it was on using the IP addresss and searching the “MyNetwork” portal. You can also determine the type of device using the MAC address which could be helpful in locating the device (check the MAC List on MyNetwork). That’s about all we have the power to do. Once you’ve done your due diligence and recorded any findings, you can respond to the ticket with this statement:

“…SHDS does not manage ResNet. We have some visibility but no control over the network. However, having a compromised computer on ResNet is definitely a campus policy violation so, If you can identify the student user by DHCP records, the normal way to proceed is to contact Office of Student Support and Student Judicial Affairs (OSSJA) and have them reach out to the student. You can disable their network access if you deem that necessary. Marilyn Derby is an Assistant Director with the OSSJA and probably a good person to contact there. Her email is mderby@ucdavis.edu. The main contact for the Office of Student Support and judicial affairs is: ossja@ucdavis.edu “

 Related articles