University Data Breach The Situation Not Real University (NRU) is a small public university located in Iowa NRU uses a transaction management system. Students are issued a card tied to the systemThe cards can be used for meals from the on-campus meal plans.In addition to the meal plans, the transaction management system handles virtual dollars. Students and parents can add funds to the cards that can be used at various vendors, such as the campus bookstore and selected off-campus stores and restaurants.The transaction management system is hosted and administered at the university.For political reasons, control of the system is spread among several organizations at the university.The Information Technology division manages the serversThe Finance division is responsible for overall system administrationThe Administrative Support Service division manages relationships with on-campus and off-campus vendorsThe transaction management system is a profit center for the university. Last year, it generated about $800,000 for NRU from commissions on vendor sales.The system hosts a significant amount of personally identifiable information (PII), such as the users’ names, addresses, phone numbers, and student id numbers.System operational control and security are laxThere are no formal, written processes for managing the systemAdministrators learn “on the job.” Don, the overall system administrator in the finance division, is an accountant with little system administration or security training, who manages the system in addition to other job duties.Authentication is handled by username/passwordUsers come from Information Technology, Finance, and Administrative Support Services divisions. Users are assigned to groups based on their job functions: each group has different but limited access based on their job functionsThere are several administrators from each group with full accessSystem events are logged, but events can only be seen at the group level. For example, a log reviewer can learn that someone from Finance made a change, but not which user made the change.The BreachWhile going through log files to see if a patch was working correctly, an administrator from Information Technology noted that a significant amount of data, including PII, was exported by an administrator at 2am that morning. He reported this suspicious occurrence and the university hired an external security auditor to investigate.The InvestigationThe auditor knew only that someone from the administrator group exported the data. The specific administrator account that was used could not be determined.The auditor first wanted to know if the leak was an internal job or an external attacker. He found several vulnerabilities that an external attacker could have exploited.There were over 50 orphan accounts that were either never closed when the user left the university or were set up (with a default password) but were never used.Usernames are first initial, last name. (For example, jsmith). Since employee names are available through the website, it would be easy for an attacker to know valid usernames.Passwords were not well-controlled. They were never required to be changed and could be very simple. Users shared username/passwords with student workers, temporary employees, and contractors through email or on the phone.The auditor interviewed administrators from each division to see if he could determine if an internal administrator accessed the information. No one admitted it.During the interviews, an administrator in Information Technology stated that he had given the IP address of the transaction management system server to an external contractor who was upgrading other servers at the university by phone.The Results and the AftermathThe auditor finally determined that the external contractor had stolen the information.The contractor noticed the poor security and thought he could steal valuable PII without being detectedOnce he had the IP address of the server, he used attack tools to exfiltrate the password file, and get an administrator’s username and encrypted password from it. Since the password was only three letters long, he was able to crack it quickly.He then used the administrative access to export the PII.500 students had their information compromisedThe university was forced to announce the breach, with the resulting bad publicityThe university offered the victims additional money on the transaction management card and free credit monitoring!!! QuestionsThe actual attack was social engineering, where the administrator was tricked into giving sensitive information (the IP address of the server) to the attacker. How should the university prevent this kind of attack in the future?There are several problems with access control and authentication of users. What are they and how should the university resolve these problems?There are several problems with the management of the system. What are they and how should the university resolve these problems? | |
Requirements: 200 words each answer( total 3)