Upload
elizabeth-stevens
View
95
Download
2
Tags:
Embed Size (px)
Citation preview
An urban university that caters to mostly
commuter students
Diverse range of technologies that strive
for a high level of security
Any dept. can set up servers that are
administered by people with other
primary duties
Not reporting servers creates vulnerable
internal networks
Some departments work well together
and share information
“Towers of power” do not like to engage
with others outside of their group
These different working styles lead to a
lack of consistency and accountability
Miscommunication caused issues with
the server and domain structure
› No firewall= open to hacking
Departments were reorganized
Towers of power restructured
All servers were moved to the computer
center to handle server administration
› This change was met with resistance
› Unsecured subnet moved to the center
› System administrators continued to monitor
the systems remotely even though this duty
was transferred to the computer center
Budget cuts led to many departmental IS support personnel to be laid off › Depts. had to rely on existing IT infrastructure
› Depts. with responsibilities in support areas also lost staff and had to pick up the slack
Decision was made to replace hardware › Replacement servers agreed upon
› This project was delayed several months
› Replacements “linked to a migration to the university active directory forest” (p. 329)
System administrator logged on remotely
and noticed a new folder on desktop
User ID “Ken” with administrative rights
was created over the weekend
Security settings were okay, but process
to examine open files was disabled
This raised suspicions that the system was
hacked
Both system administrators talked on the phone and decided to: › Disconnect the system from the network
› Notify the university security team
› Review the system to figure out the magnitude of the breach
Determined a Trojan was installed
Other personnel were notified and new Microsoft patches were applied to servers
Two other servers were compromised too
Client system TAPI2 service compromised › Access gained by user ID w/ ID as password
DameWare Trojan program found on server_1
Entire domain was compromised
PDC in 2nd domain also compromised
2 member servers and 100+ workstations also had to treated as suspicious
Servers were cleaned
Firewall configuration
A stricter password policy was created
Computer forensics expert was
contracted to certify all systems were
clean and restore systems to full
functionality
Summary and analysis written to for
system administrators to prevent future
attacks
Standard server configurations modified
to improve reporting statuses
Password policy became permanent
Invalid domain accounts were removed
Suggested to delete administrative
shares and have batch files disable them
Did the immediate counterattack
actions help the university in any way?
› Yes. Wiping all the servers clean, removing
malware, making lists of ports to aid in
firewall configuration, and implementing a
password policy were the logical and
necessary steps to take immediately
› Hiring computer forensic experts was a
prudent move
Were the long-term counterattack
actions taken adequate for SU?
› Yes and No. Writing after-action reports and
analyses are important to prevent future
attacks
› Improving system reports in the server
configuration and making a permanent
password policy were good measures
› Full extent of the compromise is still unknown
› Did not investigate the hacker
In what ways, if any, do you think the poor
corporate culture of university personnel
contributed to the hacking incident?