Security - Wireless Security Procedure

This document outlines the procedure that the Office of Campus Information Security and the DoIT Help Desk will follow when quarantining UWNet and WiscVPN users for virus infection or copyright infringement.

Campus users Wireless/WiscVPN Security Procedures:

Infection Wireless Procedure

  1. OCIS is alerted of a wireless infection from our security systems and subsequently learns the MAC address of the infected device as well as the user (NetID) associated with the device.

  2. OCIS blackholes the MAC address corresponding to the device. OCIS will include the reason of "Likely infected machine" in the Wireless Administration tool ("Public Reason").

  3. OCIS sends a WiscIT Incident to the Help Desk using the existing VPN Quarantine procedures (see Help Desk - Procedure for Handling and Proactive Notification of Security Disabled Accounts). The short description will be "Suspicious Activity Report - [NetID]", and the classification will be set to Security / Suspicious Activity Report / Quarantined.

  4. When customer contacts Help Desk and infection is confirmed clean, the Help Desk will reactivate the device using the Wireless Administration tool.

Copyright Infringement Procedure for Wireless

Strike One

Note: Strike One procedures are here for awareness only; the Help Desk will only be involved with Strike Two and Three incidents.

  1. OCS receives an alert about alleged infringement (cease and desist report) about a user on WiscVPN / Wireless.
  2. OCS determines that this is the first strike (first warning) for this user.
  3. OCS emails a copy of the infringement report to the user along with our copyright boilerplate, eg "Per policy, please remove all infringing material". In addition, OCS will notify the user that this is strike one and include a link to the policy.
  4. OCS updates the "strike" count for the NetID and closes the incident.

Strike Two

  1. OCS receives an alert about alleged infringement (cease and desist report) about a user on WiscVPN / Wireless.
  2. OCS determines that this is the second strike (second warning) for this user.
  3. OCS creates a WiscIT incident and sends it to the DoIT Help Desk. The incident will be classified as Security / Copyright / Strike 2, and the description will be formatted as follows: 
    Copyright Strike 2
NetID: [NetID in question]
MAC: [MAC address of device]

Evidentiary Information:
<FILE INFRINGEMENT DETAILS>

<COPY OF REPORT>
  4. OCS emails a copy of the infringement report to the user along with our copyright boilerplate, eg "Per policy, please remove all infringing material". In addition, OCS will state that this is strike two and network access will be removed until conditions are met (link to the details included).
  5. OCS disables WiscVPN and wireless access for the NetID.
  6. OCS disabled user's devices in clearpass
  7. OCS will update the "strike" count for the NetID
  8. The DoIT Help Desk notifies the user with call or email of the issue and steps for resolution. They should provide the user with the following information:

    "The Office of Campus Information Security (OCS) received a report about infringement allegedly occurring from a computer you may be using to access the University system.

    This activity needs to cease immediately. In addition, we request that all infringing material be removed from your computer. Our records indicate that this is the second notice that we have received. Per policy (https://kb.doit.wisc.edu/security/page.php?id=20431) we have disabled your WiscWireless and WiscVPN network access until you have completed the Learn@UW copyright quiz and had your computer scanned for malware and file-sharing programs by the DoIT Help Desk or other similar service."

  9. The DoIT Help Desk agent routes the incident to the HDQA. HDQA will then escalate this incident to the US-Help Desk EAST requesting that the user and all of their Bradford devices be quarantined. (Until this action happens, the customer will still have full access to the Housing network.)
  10. The user brings the computer to the DoIT Tech Store to have it cleaned of any file-sharing programs and all the infringing material or a receipt from computer shop for a similar service. The DoIT Tech Store agent will update the ticket and escalate to the HDQA who then will escalate to BadgIRT WiscIT group.
  11. OCS will check if the user has passed an online copyright quiz (located in Learn@UW and currently titled 'UW-Madison Copyright Tutorial') with 100%. The users will have another quiz to confirm they completed the copyright quiz. When that quiz is completed, an email notification is sent to OCS. Once completed, OCS will update the ticket.
  12. OCS will re-enable WiscVPN and wireless access.
  13. The DoIT Help Desk will close the incident.

Strike Three

  1. OCS receives an alert about alleged infringement (cease and desist report) about a user on WiscVPN / Wireless.
  2. OCS determines that this is the third strike (third warning) for this user.
  3. OCS creates a WiscIT incident and sends it to the DoIT Help Desk. The incident will be classified as Security / Copyright / Strike 3, and the description will be formatted as follows: 
    Copyright Strike 3
NetID: [NetID in question]
MAC: [MAC address of device]

Evidentiary Information:
<FILE INFRINGEMENT DETAILS>

<COPY OF REPORT>
  4. OCS emails a copy of the infringement report to the user along with our copyright boilerplate, eg "Per policy, please remove all infringing material". In addition, OCS will state that this is strike three and network access will be removed until we hear back from the Dean of Students. If the user is a faculty or staff, we will escalate to their human resource representative.
  5. OCS disables WiscVPN and wireless access for the NetID.
  6. OCS will update the "strike" count for the NetID.
  7. The DoIT Help Desk notifies the user with call or email of the issue and steps for resolution. They should provide the user with the following information:

    "The Office of Campus Information Security (OCS) received a report about infringement allegedly occurring from a computer you may be using to access the University system.

    This activity needs to cease immediately. In addition, we request that all infringing material be removed from your computer. Our records indicate that this is the third notice that we have received. Per policy (https://kb.doit.wisc.edu/security/page.php?id=20431) we have disabled your WiscWireless and WiscVPN network access until we hear from (the Dean of Students office / your human resources representative). We would suggest that you contact (the Dean of Students / your human resources representative) to arrange for a meeting."

  8. If the person receiving a third strike is a student, OCS staff will open a report within the Dean of Students Incident Reporting Form. OCS staff will complete the ticket with the following information: 
    Background Information:

fullname: OCS staff name
title: OCS response staff
email address: abuse@wisc.edu
Nature of report: choose Copyright Incident Report (DoIT Use Only)
date: use current date
Location of the incident: Pick the best option, e.g. On-Campus (Other)

Involved Parties:

Copyright student full name and their email address

Description/Narrative:

Hello

This is a report of a -third- copyright infringement notice being received for .  Their WiscWireless, WiscVPN and Internet Housing network access have been removed pending notification from the Dean of Students to re-activate those services.  Please send the notification of restoration of access to abuse@wisc.edu when appropriate.

After the second strike, they took their machine into the DoIT tech store and completed the copyright tutorial.

At minimum, I would recommend that they bring their computer into the DoIT tech store for a full uninstall of any peer to peer (P2P) software vs just disabling the P2P or configuring it not to share.

We have included the past infringement reports below.

Please let us know any questions.

Thank you!

-OCS Staff

[INCLUDE **ALL** PAST  INFRINGEMENT REPORT DETAILS]
[EXAMPLE BELOW]

Infringement complainant: RIAA

List of infringing content
------------------------------
Kanye West POWER

------------------------------
INFRINGEMENT DETAIL
------------------------------
Infringing Work : POWER
Filename : kanye west- power.mp3
First found (UTC): 2011-11-01T21:16:41.73Z
Last found (UTC): 2011-11-01T21:18:07.03Z
Filesize : 7049312 bytes
IP Address: 146.151.30.35
IP Port: 21950
Network: Ares
Protocol: Ares

Second notice:

List of infringing content
------------------------------
Sean Paul Give It Up To Me

------------------------------
INFRINGEMENT DETAIL
------------------------------
Infringing Work : Give It Up To Me
Filename : sean paul - the trinity - give it up to me(2).mp3
First found (UTC): 2011-11-13T20:14:29.57Z
Last found (UTC): 2011-11-13T20:15:38.15Z
Filesize : 6421672 bytes
IP Address: 146.151.27.71
IP Port: 21950
Network: Ares
Protocol: Ares

Third Notice:

List of infringing content
------------------------------
Kanye West POWER

------------------------------
INFRINGEMENT DETAIL
------------------------------
Infringing Work : POWER
Filename : kanye west- power.mp3
First found (UTC): 2011-11-30T00:41:37.28Z
Last found (UTC): 2011-11-30T00:43:06.12Z
Filesize : 7049312 bytes
IP Address: 146.151.30.182
IP Port: 21950
Network: Ares
Protocol: Ares
  9. In all third strike cases, OCS staff will send an email to Jeff Savoy and Allen Monette alerting them that a third strike happened along with the person's NetID.
  10. OCS will re-enable WiscVPN and wireless access once the Dean of Students or (appropriate University official if this involves a faculty or staff) approves. If the Dean of Students or HR representative request additional action be taken (such as reformatting), OCS will update the incident with this info and the Help Desk will contact the customer. Once complete, the Help Desk will update the ticket and escalate to the BadgIRT WiscIT group. OCS will re-enable WiscVPN / Wireless access and close the case.
  11. OCS will close the incident.

Click to hide/expand all sections

Guest Wireless Incident Procedures:

Invalid Email used for Guest Wireless Access Procedure

  1. OCIS is alerted by our security system that a user has logged into the guest wireless access point using an invalid email address.

  2. OCIS blackholes MAC address of the device of the user. OCIS will include the reason of "Bad Guest Email Address" as well as the email address used in the Wireless Administration tool ("Public Reason").

  3. If a customer contacts the Help Desk, the Help Desk will use the Wireless Administration tool to learn why the user is blacklisted and learn it was because a bad email address was used. The Help Desk will collect valid contact information for the user as well as the reason that a bad email address was used. If the bad email address was the likely the result of an error, e.g. typo, the Help Desk will reactivate the device using the Wireless Administration tool. If the bad email address was the result of another reason, e.g. fake address, etc the Help Desk will collect customer information and send a ticket to the BadgIRT WiscIT group for follow up.

  4. OCIS determines the merits of reactivation and acts accordingly and subsequently contacts the user with resolution.

General Security/Infection Incident Procedure for Guests (Wireless)

  1. OCIS is alerted of wireless infection of guest from our security systems.

  2. OCIS blackholes MAC address of the device of user. OCIS will include the reason of "Likely infected machine" in the Wireless Administration tool ("Public Reason").

  3. When customer contacts Help Desk, they will inform customer that in the machine must be cleaned before they will be reactivated. Since they are not UW-Madison affiliated, they will have to use outside services to clean infection.

  4. Once confirmed clean, Help Desk will reactivate user in the Wireless Administration tool.

Copyright Infringement Procedure for Guests (Wireless)

Strike One

  1. OCS receives an alert about alleged infringement (cease and desist report/settlement) about a user on Guest Wireless.
  2. OCS determines that this is the first strike for this user.
  3. OCS creates a WiscIT incident and sends it to the DoIT Help Desk. The incident will be classified as Security / Copyright / Strike 1, and the description will be formatted as follows: 
    Copyright Strike 1 - Guest
NetID (guest user): [Registered guest email address]
MAC: [MAC address of device]

Evidentiary Information:
<FILE INFRINGEMENT DETAILS>

<COPY OF REPORT>
  4. OCS emails a copy of the infringement report to the user if it is not a settlement case along with our copyright boilerplate, eg. "Per policy, please remove all infringing material". (If it is a settlement case, customer will have to obtain a copy from OCS.) In addition, OCS will notify the user that the user's wireless access has been disabled for their device.
  5. OCS updates the "strike" count for the guest_email.
  6. If the user calls the Help Desk, gather their contact information (name and phone number) as well as their availability between 8am-4pm for call back purposes. The DoIT Help Desk should then escalate the incident to BadgIRT.
  7. OCS will wait until the user has contacted the Help Desk and the incident has been escalated with contact information. They will then re-enable access once the user has reviewed wireless access policies.

Strike Two

  1. OCS receives an alert about alleged infringement (cease and desist report/settlement) about a user on Guest Wireless.
  2. OCS determines that this is the second strike for this user.
  3. OCS creates a WiscIT incident and sends it to the DoIT Help Desk. The incident will be classified as Security / Copyright / Strike 2, and the description will be formatted as follows: 
    Copyright Strike 2 - Guest
NetID (guest user): [Registered guest email address]
MAC: [MAC address of device]

Evidentiary Information:
<FILE INFRINGEMENT DETAILS>

<COPY OF REPORT>
  4. OCS emails a copy of the infringement report if it is not a settlement case to the user along with our copyright boilerplate, eg "Per policy, please remove all infringing material". (If it is a settlement case, customer will have to obtain a copy from OCS.) In addition, OCS will notify the user that the user's wireless access has been disabled for their device and will not be re-enabled without CISO approval.
  5. OCS updates the "strike" count for the guest_email.
  6. If the user calls the Help Desk, gather their contact information (name and phone number) as well as their availability between 8am-4pm for call back purposes. The DoIT Help Desk should then escalate the incident to BadgIRT.
  7. OCS will wait until the user has contacted the Help Desk and the incident has been escalated with contact information. They will then re-enable access once CISO gives approval for wireless re-enablement.

Click to hide/expand all sections

Click to hide/expand all sections

See Also


Keywords:
OCIS, OCS, infringement, copyrighted, incident, infection, UWNet, UW, net, wi-fi, wiscvpn, vpn, 802.11b, warning, admin, access, removed, banned, blackholed, disabled, guest, procedures, strikes, one, two, three, first, second, third
Doc ID:
26709
Owned by:
Help Desk KB Team in DoIT Help Desk
Created:
2012-10-05
Updated:
2025-06-23
Sites:
CSOC-internal, Cybersecurity-internal, DoITHelpDesk-internal