David Hotchkiss - RE: Bullet points

One of those conversations where he's talking to 5 people at once. I may have misunderstood. The best I can say is that he hasn't looked at the proposals yet, so we can't commit to a decision in the letter. I appreciate your concerns. I expect this letter will be the beginning of a longer conversation with the Department of Education, and would have been even with a clear answer. Scott ____________________________________________ K. Scott Dickey | Partner Renne Sloan Holtzman Sakai LLP | Public Law GroupTM 350 Sansome Street, Suite 300 | San Francisco, CA 94104 t: 415-678-3827 | f: 415-678-3838 | www.publiclawgroup.com Confidentiality Notice: This transmittal is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this transmittal is not the intended recipient or the employee or agent responsible for delivering the transmittal to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. -----Original Message----- From: David Hotchkiss [mailto:dhotchkiss@ccsf.edu] Sent: Mon 3/12/2012 4:54 PM To: Scott Dickey Subject: RE: Bullet points I didn't know I was meeting Peter on Wednesday. It's not on my calendar. David A. Hotchkiss, Ph.D., PMP Chief Technology Officer San Francisco Community College District Phone: 415.452.5586 >>> "Scott Dickey" <sdickey@publiclawgroup.com> 3/12/2012 4:49 PM >>> Thanks, David. I've reviewed the proposals, and have spoken to Peter. He doesn't want to move forward until after he's met with you on Wednesday. Scott ____________________________________________ K. Scott Dickey | Partner Renne Sloan Holtzman Sakai LLP | Public Law GroupTM 350 Sansome Street, Suite 300 | San Francisco, CA 94104 t: 415-678-3827 | f: 415-678-3838 | www.publiclawgroup.com Confidentiality Notice: This transmittal is intended only for the use of the individual or entity to which it is addressed and may contain

From: "Scott Dickey" <sdickey@publiclawgroup.com>To: "David Hotchkiss" <dhotchkiss@ccsf.edu>Date: 3/12/2012 5:14 PMSubject: RE: Bullet points

Page 1 of 5RE: Bullet points

3/14/2012file://C:\Documents and Settings\dhotchkiss\Local Settings\Temp\XPgrpwise\4F5E2EDFP...

information that is privileged, confidential and exempt from disclosureunder applicable law. If the reader of this transmittal is not the intended recipient or the employee or agent responsible for delivering the transmittal to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. -----Original Message----- From: David Hotchkiss [mailto:dhotchkiss@ccsf.edu] Sent: Mon 3/12/2012 4:48 PM To: Scott Dickey Subject: RE: Bullet points Scott Below are my answers to the questions. I had to slightly change the answer to #1. I must tell you that it is really a weak response until we have that executed contract to add the fixes to our network. We have no in-house expertise. It is imperative that we get that contract in place as soon as possible. That said, here are the answers. __________________________________________ 1. Date the breach occurred. 2011 Thanksgiving Day Holiday weekend; i.e., 24 - 28 November 2011 CCSF was notified at 6:05AM am on 28 November 2011 2. Description of the breach. On Monday, November 28, 2011 City College of San Francisco's (CCSF) Information Technology Department was alerted to anomalous data traffic of the CCSF LAN by our network security company, USDN. CCSF technicians discovered several malicious viruses on a server and computers in a computer class room in Cloud Hall. At least one of the malicious viruses is capable of taking screen shots from a computer monitor and capable of logging keyboard key strokes was found on a computer. The College took immediate steps to remove the server from service and with help from an outside network security company, began to evaluate the pervasiveness of the viruses' propagation. Immediately an investigation was ordered by the CTO. It was discovered that there were many malicious vectors on a computer laboratory's server and on end user computers. It was also discovered that two of the malicious vectors were command and control botnets and Trojans. These malicious vectors as well as others were transmitting to known bad reputation IP addresses throughout the world. Initial evaluation showed 723 of the known bad IP addresses belonged to the Russian Business Network (RBN). While it is known that the RBN as an organization has been disbanded, the maliciousness emanating from and to their IP addresses continues. It was also discovered that the malicious vectors had propagated to servers on both the College's instructional and administrative networks infecting most of the servers and computers on the College network. Evaluation of the malicious vectors found that personally identifiable information (PII) may have been taken and transmitted to various entities external to the College. It was also indicated that the some of the malicious vectors had been resident on servers and computers for up to ten years. Evidence shows that at least one virus was found on the enterprise server however, there is currently no evidence that data was taken from the student or employee databases. While these malicious vectors were found on the College networks some of these vectors there is no evidence that of the District's databases were compromised as of the time of this writing. The personal data that may have been taken is believed to be only data which may have been captured when an individual

Page 2 of 5RE: Bullet points

3/14/2012file://C:\Documents and Settings\dhotchkiss\Local Settings\Temp\XPgrpwise\4F5E2EDFP...

used a CCSF computer for financial and other personal transactions. ThePII taken was taken via key loggers and screen shot saving malicious vectors and transmitted via botnets to proven bad reputation IP addresses and some other IP addresses. 3. Current status of the breach incident. The breach is currently being contained but has yet to be totally resolved. A report developed by an outside network security expert was delivered on 31 January 2012 regarding the severity of the incident. It was delivered to the Board President, Vice Chancellor of Finance & Accounting, and General Counsel. The Technology Department is awaiting contract execution with an outside firm for full containment and resolution. 4. Specific detailed information on how CCSF has strengthened its current procedures to safeguard Personal Identifiable Information (PII) for its visitors, students, staff and faculty. What we have done.Established 24/7 monitoring of network both transmission and reception. This continuous monitoring will provide for proactive identification and incident response to malicious vectors both internal and external to the District's network. Automatically creates work orders sent to CCSF technicians based on severity of alarms for remediation of alarms. Monitoring will be a service conducted by a trained outside provider specializing in network security. Recurring annual service agreements will be developed that will ensure no lapse in monitoring coverage. Tech tiger teams have been established to clean District all end user computers. Focusing initially on administrative and business computers and then progressing to the student computers. Reported the incident with the Federal Bureau of Investigation local field office. Evaluated proposals received via RFP to hire an outside firm to provide incident response and put in place permanent solutions. Currently awaiting authorization to proceed and an executed contract. These solutions include: Stop anomalous transmissions out of the District's network to known bad reputation IP addresses Implement blocking of known bad IP addresses per lists provided by US-CERT, DOD, Carnagie-Melon, MIT or other agencies/organizations Establish zero-day response to malicious vectors and anomalous traffic which will automatically quarantine any malicious vectors, both transmitting and receiving. What we are planning to do.Notify students and employees of the breach in accordance with federal and state regulations. Update versions, permissions and settings on all firewalls. Layer 2 firewall will be updated for ingress traffic and layer 3 firewall will be updated for egress traffic. Evaluating the current network design with considerations. May hire outside firm to design and develop solutions regarding the following. Proper sizing of the all firewalls Ensure better segregation between the administrative and instructional networks within the District's LAN. Use of anti-virus systems to include, but not limited to, the following. Inline network-level anti-virus boxes More resilient anti-virus software for District servers More resilient anti-virus software for end user equipment Develop District-level policies regarding network security and acceptable use. ________________________________

Page 3 of 5RE: Bullet points

3/14/2012file://C:\Documents and Settings\dhotchkiss\Local Settings\Temp\XPgrpwise\4F5E2EDFP...

David A. Hotchkiss, Ph.D., PMP Chief Technology Officer San Francisco Community College District Phone: 415.452.5586 >>> "Scott Dickey" <sdickey@publiclawgroup.com> 3/12/2012 1:56 PM >>> Just in case these didn't get to you before: The local office of the DOE has asked for the following information regarding the November breach: 1. Date the breach occurred; 2. Description of the breach; 3. Current status of the breach incident; and 4. "specific detailed information on how CCSF has strengthened its current procedures to safeguard Personal Identifiable Information (PII) for its visitors, students, staff and faculty." I've taken from your letter the following in response to 1 & 2: On Monday, November 28, 2011 City College's Information Technology Department discovered several malicious viruses on a server and computers in a computer class room in Cloud Hall. At least one of the malicious viruses is capable of taking screen shots from a computer monitor and capable of logging keyboard key strokes was found on a computer. The College took immediate steps to remove the server from service and with help from an outside network security company, began to evaluate the pervasiveness of the viruses' propagation. It was also discovered that the viruses had spread to the College's instructional and administrative networks infecting many of the servers and computers on the College network. Evaluation of the viruses found that personally identifiable information may have been taken and transmitted to various entities external to the College. It was also indicated that the some of the viruses had been resident on servers and computers for up to ten years. While these malicious viruses were found on the College networks, it appears that none of the District's databases were compromised as of the time of this writing. The personal data that may have been taken is believed to be only data which may have been captured when an individual used a CCSF computer for financial and other personal transactions. Could you please put something together for items 3 And 4? Thanks! Scott ____________________________________________ K. Scott Dickey | Partner Renne Sloan Holtzman Sakai LLP | Public Law GroupTM 350 Sansome Street, Suite 300 | San Francisco, CA 94104 t: 415-678-3827 | f: 415-678-3838 | www.publiclawgroup.com Confidentiality Notice: This transmittal is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this transmittal is not the intended recipient or the employee or agent responsible for delivering the transmittal to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. From: David Hotchkiss [mailto:dhotchkiss@ccsf.edu] Sent: Fri 3/9/2012 12:55 PM To: Scott Dickey Subject: Bullet points A gentle reminder to please send me the bullet points

Page 4 of 5RE: Bullet points

3/14/2012file://C:\Documents and Settings\dhotchkiss\Local Settings\Temp\XPgrpwise\4F5E2EDFP...

David A. Hotchkiss, Ph.D., PMP Chief Technology Officer San Francisco Community College District Phone: 415.452.5586

Page 5 of 5RE: Bullet points

3/14/2012file://C:\Documents and Settings\dhotchkiss\Local Settings\Temp\XPgrpwise\4F5E2EDFP...