Overview

A compromised device is a significant cybersecurity threat in which a computer, mobile device, or other endpoint connected to the University of Montana network is infected with malware, accessed without authorization, or otherwise used for malicious activity.

This article outlines the actions the University of Montana Information Security Office (ISO) may take when a device is suspected or confirmed to be compromised, following the Identify, Protect, Detect, Respond, and Recover incident response framework.

If you just want to know when your device or network access will be restored, skip to “Steps for Users to Regain Device and Network Access.”

Information

How Devices are Compromised

Common causes of device compromise include:

• Malware or ransomware downloaded through malicious links, attachments, or websites

• Phishing attacks that result in stolen credentials used to access the device

• Outdated software or operating systems with known vulnerabilities

• Unsecured networks or unsafe remote access practices

• Unauthorized software or browser extensions

• Lost or stolen devices without adequate security controls

What Happens When a Device is Compromised

When a device is reported or appears to be compromised, the Information Security Office may isolate the device from the university network while an investigation is conducted.

The Information Security Office will contact the device owner directly with instructions and next steps once initial containment actions are complete. Access will be restored only after the device has been remediated, associated credentials have been secured, and no ongoing risk to university systems remains. Depending on when the compromise is detected and the scope of the incident, restoration of network access may not occur until the next business day.

How UM Responds to Compromised Devices

Compromised devices pose a risk to university systems, data, and users. Even devices that do not store sensitive information can be used to spread malware, steal credentials, or gain unauthorized access to university resources. For this reason, the Information Security Office responds quickly when a device is reported or suspected to be compromised.

When a potential compromise is identified, the Information Security Office may take immediate action, including isolating the device from the university network, to contain the risk while an investigation is conducted. The ISO will contact the device owner directly with instructions and next steps once initial containment actions are complete.

The following sections describe how the Information Security Office applies the Identify, Protect, Detect, Respond, and Recover incident response framework to compromised devices.

1. Identify

Objective: Detect the presence and scope of a compromised device.

How the Information Security Office Identifies Compromised Devices:

• User reports of suspicious behavior, malware warnings, or unexpected system activity

• Automated monitoring from endpoint protection, intrusion detection, or network security systems

• Alerts from third-party vendors, service providers, or cybersecurity partners

• Detection of abnormal network traffic, command-and-control communication, or scanning behavior

2. Protect

Objective: Mitigate immediate risk and secure university systems.

Steps Taken by the ISO to Protect the University:

• Network isolation: Temporarily remove the affected device from wired, wireless, and VPN access to prevent further unauthorized activity

• Credential protection: Reset or revoke credentials associated with the device to prevent continued misuse

• Session termination: Invalidate active authentication sessions and tokens

• Access restrictions: Temporarily restrict access to sensitive university systems if exposure is suspected

• User notification: When possible, notify the device owner using alternative contact methods and provide instructions for next steps

These actions may be taken without prior notice in order to contain the incident and reduce risk to the university.

3. Detect

Objective: Investigate the source, impact, and extent of the compromise.

Detection and Analysis:

• Review endpoint and network security logs

• Identify indicators of compromise, including:

  • Malware signatures

  • Unauthorized remote access tools

  • Suspicious outbound connections

• Determine potential attack vectors, such as:

  • Phishing-derived credential theft

  • Exploited software vulnerabilities

  • Unsafe downloads or removable media

• Assess whether sensitive or regulated data may have been accessed

4. Respond

Objective: Contain and remediate the incident.

Steps in the Response Process:

Technical Remediation:

• Remove malware or malicious software

• Reimage or rebuild the device when required

• Apply security patches and software updates

• Verify endpoint protection and security configurations

Communication:

• Coordinate with the UM IT HelpDesk and affected departments

• Notify appropriate compliance, legal, or administrative offices if required

Documentation:

• Record actions taken during the incident response

• Preserve logs or evidence for regulatory or investigative purposes

5. Recover

Objective: Restore normal operations and strengthen future device security.

Depending on the severity and scope of the incident, affected users may not regain access to their device and/or the university network on the same business day.

Steps for Users to Regain Device and Network Access

Users may be required to complete one or more of the following steps, coordinated with the Information Security Office or the UM IT HelpDesk:

• Secure credentials: Reset passwords associated with the compromised device using the secure process provided by the ISO. Strong, unique passwords are required

• Remediate the device:

  • Remove malware or unauthorized software, or

  • Reimage or rebuild the device if remediation cannot be confidently completed

• Verify device settings: Ensure no unauthorized changes remain, including unfamiliar user accounts, altered security settings, or unauthorized remote access tools

• Update software: Confirm the operating system and all installed applications are fully patched and up to date

• Confirm security tools: Verify required endpoint protection, monitoring, or device management tools are installed and functioning properly

• Monitor activity: Continue to monitor the device for signs of unusual behavior after access is restored

Network access will be restored only after the ISO confirms the device no longer poses a security risk and no further remediation is required.

ISO Actions

Following remediation and restoration, the Information Security Office may:

• Update security protocols, policies, and incident response procedures

• Enhance endpoint monitoring and detection capabilities

• Deploy additional safeguards, such as:

  • Advanced endpoint detection and response (EDR) controls

  • Expanded device compliance or management requirements

  • Strengthened identity and access controls tied to device security

• Coordinate with the UM IT HelpDesk, compliance offices, or external partners as necessary

Best Practices to Prevent Future Device Compromises

• Keep operating systems, applications, and firmware fully updated

• Use approved endpoint protection and device management tools

• Do not install unauthorized software or browser extensions

• Avoid clicking suspicious links or opening unexpected attachments

• Secure devices with strong passwords and multi-factor authentication (MFA) where supported

• Use caution on public or unsecured WiFi networks

• Report suspected device compromise or unusual behavior immediately to the ISO

Conclusion

Prompt identification, isolation, and remediation of compromised devices reduces risk to the university while strengthening the overall cybersecurity posture of the University of Montana.

If you have questions or concerns, please contact the UM Information Security Office: infosec@umontana.edu