130 likes | 139 Views
Today’s Event. Thursday, August 14, 2003 1:00-2:00pm EDT “Managing Security Incidents” with Gordon Wishon Chief Information Officer and Associate Vice President University of Notre Dame and Dan Updegrove Vice President for Information Technology The University of Texas at Austin.
E N D
Today’s Event Thursday, August 14, 20031:00-2:00pm EDT“Managing Security Incidents”withGordon WishonChief Information Officer and Associate Vice PresidentUniversity of Notre DameandDan UpdegroveVice President for Information TechnologyThe University of Texas at Austin
Ultratime Server Compromise • Monitoring system reported Windows NT IIS Version 4 Webserver failure to respond • Administrator investigation discovered large warez files, active ftp daemon, password harvesting • System disconnected from network, forensics investigation initiated • Evidence of Nimda, other viruses discovered • Compromised system hosted ‘UltraTime’ application, ancillary to payroll system, used to track hourly employees’ timecard entries
Ultratime Server Compromise • Presence of sensitive personal information (including SSN, salary info) on server raised immediate concerns about potential for compromise, subsequent identity theft, and integrity of payroll source data • 8400 active employees • 5000 inactive employees • Archived records dating back to 1995 • However, no direct evidence of compromise (thorough forensics investigation by internal security staff and independent security consultant -- no evidence of file browsing or downloading), also positive payroll audit outcome
Ultratime Server Compromise Ethical Question: Without definitive evidence of compromise, should affected users be notified? • Mitigating against disclosure • Raising unnecessary concerns • Subjecting university to potential civil liability from claims of complicity • Potential damage to reputation as trustworthy stewards • Mitigating for disclosure • Potential damage to reputation as trustworthy stewards • Potential for real damage to employees
Ultratime Server Compromise • Decision: Disclose • Targeted message (personal letter) to all active employees affected • General message to campus with advice re: identity theft (www.consumer.gov/idtheft/)
UT Austin SSN Data Theft Chronology • Sun, Mar 2, 720 pm: initial observation of high-volume database access from off-campus • Mar 3: law enforcement contacted • Mar 4: Evidence points to UT student • Mar 5: Two residences searched • Mar 6: Austin American-Statesman breaks story; UT datatheft website deployed • Mar 14: UT student charged • Aug 14: Case unresolved…
UT Austin SSN: What Happened? • An insecure interface to a UT mainframe database provided access to over 1 million records • Program was written to input 2.6 million SSNs against this interface. • Of these, ~ 50,000 matched, disclosing names of current/former students, faculty, staff, admission & job applicants, library patrons, current & former faculty & staff at UT Austin & other UT campuses • No evidence that SSNs & names disseminated or misused ~ but impossible to “prove a negative” • UT has attempted to contact all individuals affected
UT Austin SSN: Communications • https://www.utexas.edu/datatheft/ • UT’s public statement • Links to US Attorney statements • Link to email: over 2,000 • Link to data form: over 6,500 • Toll-free hotline: over 3,000 • Two email msgs to these groups • U.S. mail to all for whom UT has good addresses • Confusion, concern re “data theft” vs. “identity theft” • Total costs of incident exceed $120,000
UT SSN: Security Issues, Aftermath • Highlights risk of SSN as University ID • UT Austin Cmte had been addressing this issue • Faculty posting of grades a long-standing concern • Web front-ends remove “security by obscurity” • Downside of integrated database • All UT System (15 campuses) central & mission-critical applications will be reviewed • UT System has launched a Security Advisory Cmte and a SSN Task Force
Assembling the Crisis Team • How do you know when it’s time? • Who calls the first meeting? • Who attends? • What next? • How to coordinate? • Other advice?
Legal Issues • Dealing with institution’s own counsel • Dealing with on-campus police • Dealing with off-campus police, FBI, etc. • Preserving evidence vs minimizing damage • What to do/say to avoid increased exposure • Other legal issues?
The Press • Official statements • When? • By whom? • To whom? • Press conference? • Resources and challenges • On-campus press office • Student paper • National press • The Web • Pluses and minuses
Final Thoughts • Best decision • Worst decision • Lessons learned • Changes deployed • Single piece of advice