1. Critical Thinking #2 Principles of Computer Information
Systems Security Tyler Brunet VCU Department of Information
Systems
2. Case of a Computer Hack - Background Case took place over 2
years at Stellar University This is a public institution that
contains a diverse range of technologies Windows 3.1 to 2003
inclusive, VAX, Mainframe, Linux, Unix, Apple, SANs, NASs
Infrastructure- Token Ring , 10/100/1000 Mbps Ethernet, Wireless
& Dialup There is a VPN to the medical portion of the
university
3. server_1 Running Windows NT 4.0 Service Pack 5 Internet
Explorer 4 Primary Domain Controller (PDC) no Backup Domain
Controllers (BDCs) Windows Internet Naming Service (WINS) Primary
File Server Primary Print Server
4. Naming Convention server_1 Difference between a dash and a
underscore _ is minimum Underscore is unsupported by the DNS server
Too late to change naming convention Have to reinstall SQL and
reconfigure 800+ systems. Dashes are supported
5. History of server_1 Relocated on an as-is basis
Accountability of the server was transferred Minimal system
documentation & history Changes broke applications temporarily
Changes had to be made with approval
6. Off hour Maintenance First off-hours maintenance attempt was
disastrous Windows NT 4.0 service pack 6a would not apply Due to
error message of could not find setup.log file in repair directory
Other system-critical updates would not apply for same reason SQL
7.0 service pack 4 would not go past 57% Said there was not enough
room to install Would not uninstall at that point either
7. Hack Discovered Found new folder on the desktop Multiple DOS
windows popped up in a succession Processor usage spiked higher
than normal No security settings were knowingly modified Anti-virus
was current by the process to examine open files was disabled
8. Immediate Response Take system off the network to prevent
spread of a possible compromise Notify security team at the
university Review the system to determine scope and severity
Determined that a Trojan was installed on server_1
9. Further Research Password crack program was executed Found 2
additional servers to be compromised Found a client system to be
compromised User set username and password the same jksmith Was the
weak link that exploited to gain access to the server DameWare
Trojan Program was eventually located on server_1
10. Immediate Counterattack Actions Taken Clean the servers
Removed all malware that was identified Required ports were
compiled to facilitate the firewall configuration A password policy
was established Unsure if all remnants of the attack were removed
Brought in computer forensic expert to accomplish task Found 12
client workstations infected along with the infected servers
11. Long-term Counter Attack Actions Modified standard server
configuration Password policy change was made permanent Server was
configured with a batch file that gathers system info and places it
in a text file on the hard drive. The deletions of net shares could
be tailored to each server and placed in that batch file with
minimal effort
12. Sources Dhillon, G. (2006). Principles of information
systems security: Text and cases. (pp. 325-334). John Wiley &
Sons.