Policies

• Athena/MITnet Rules of Use
• MIT Policies and Procedures section 13.2: Policy on the Use of Information Technology

Removing a machine from the network

A computer is removed from the MIT network only in order to protect the data on that computer from misuse or theft, or to protect other computers on the network from attacks.

When the Network Security Team detects that a computer on the MIT network has been broken into by an intruder, action is taken to remove that computer from the network. Compromised hosts frequently begin to attack other systems. As soon as the Network Security Team detects malicious activity, we disable the Ethernet port that services the affected computer. We then send a mail message describing the problem, and necessary recovery steps, to the registered system owner. (Users can update their information via MIT Host Lookup/Configuration Tool.) Unfortunately, because the number of attacks has risen dramatically in recent years, the rate of compromise has exceeded our ability to contact system owners by phone before disabling the machine.

System owners are urged to review current contact information for all hosts under their care. Security incidents will be resolved more rapidly if we have current contact information for each machine. Accurate system and contact information is one of the single biggest steps that can be taken to streamline remediation in the event of an incident.

The Network Security Team recognizes that a decision to remove a machine from the network can create inconvenience and difficulties for users. Please understand that our purpose is only to protect compromised systems and data from further misuse, and to ensure the safety of work at MIT and elsewhere on the Internet.

Effects of intruder attacks

MIT experiences approximately 50-100 security incidents per week, of which 70% occur outside normal business hours. These incidents lead to downtime on mission critical systems, lost productivity, and the disruption of research and academic activities. The severity of a typical event -- as measured by damage done to systems at MIT and elsewhere as well as the time to restore service -- is increasing. Currently, the average downtime from compromised systems on main campus ranges from 1-7 days. There are frequent data losses as well, both involving direct destruction of data and through the failure of backup procedures.

It is not uncommon for preventive and recovery efforts to disrupt individual systems, sometimes interfering with research and academic work. We deeply regret these instances, and hope that by working closer with faculty, students, and staff around the Institute that disruptions can be minimized or avoided altogether.

Please contact the Network Security Team with any concerns or questions you may have.