An urban university that caters to mostly

commuter students

Diverse range of technologies that strive

for a high level of security

Any dept. can set up servers that are

administered by people with other

primary duties

Not reporting servers creates vulnerable

internal networks

Some departments work well together

and share information

“Towers of power” do not like to engage

with others outside of their group

These different working styles lead to a

lack of consistency and accountability

Miscommunication caused issues with

the server and domain structure

› No firewall= open to hacking

Departments were reorganized

Towers of power restructured

All servers were moved to the computer

center to handle server administration

› This change was met with resistance

› Unsecured subnet moved to the center

› System administrators continued to monitor

the systems remotely even though this duty

was transferred to the computer center

Budget cuts led to many departmental IS support personnel to be laid off › Depts. had to rely on existing IT infrastructure

› Depts. with responsibilities in support areas also lost staff and had to pick up the slack

Decision was made to replace hardware › Replacement servers agreed upon

› This project was delayed several months

› Replacements “linked to a migration to the university active directory forest” (p. 329)

System administrator logged on remotely

and noticed a new folder on desktop

User ID “Ken” with administrative rights

was created over the weekend

Security settings were okay, but process

to examine open files was disabled

This raised suspicions that the system was

hacked

Both system administrators talked on the phone and decided to: › Disconnect the system from the network

› Notify the university security team

› Review the system to figure out the magnitude of the breach

Determined a Trojan was installed

Other personnel were notified and new Microsoft patches were applied to servers

Two other servers were compromised too

Client system TAPI2 service compromised › Access gained by user ID w/ ID as password

DameWare Trojan program found on server_1

Entire domain was compromised

PDC in 2nd domain also compromised

2 member servers and 100+ workstations also had to treated as suspicious

Servers were cleaned

Firewall configuration

A stricter password policy was created

Computer forensics expert was

contracted to certify all systems were

clean and restore systems to full

functionality

Summary and analysis written to for

system administrators to prevent future

attacks

Standard server configurations modified

to improve reporting statuses

Password policy became permanent

Invalid domain accounts were removed

Suggested to delete administrative

shares and have batch files disable them

Did the immediate counterattack

actions help the university in any way?

› Yes. Wiping all the servers clean, removing

malware, making lists of ports to aid in

firewall configuration, and implementing a

password policy were the logical and

necessary steps to take immediately

› Hiring computer forensic experts was a

prudent move

Were the long-term counterattack

actions taken adequate for SU?

› Yes and No. Writing after-action reports and

analyses are important to prevent future

attacks

› Improving system reports in the server

configuration and making a permanent

password policy were good measures

› Full extent of the compromise is still unknown

› Did not investigate the hacker

In what ways, if any, do you think the poor

corporate culture of university personnel

contributed to the hacking incident?