The Security Catalyst

Note: until the fix for podpress is released, please note the direct link for the program. iTunes listeners should not be affected: http://www.securitycatalyst.com/podcast/TSC-20080723.mp3

Story of the breach
The story is not just about one single breach, but a group of security incidents discovered by Ohio University within weeks of each other.
 - The first breach was discovered on April 21st when the FBI notified the university that a computer in the Technology Transfer Department had been compromised. The FBI had been investigating another unrelated crime when they discovered the compromised computer. The university discovered that the Technology Transfer server contained personal information on 35 individuals.
- The second breach was discovered on April 24th when the IT staff noticed that an Alumni database server was being used to launch a Denial of Service attack against an external target. This alumni server contained the personal information on 300,000 individuals and organizations including over 137,000 SSNs. When investigating this incident, the university discovered that alumni server had been compromised as far back as 2005 and had been accessed by domestic and international IP addresses. This server should have been removed more then a year before the breach was discovered and it was assumed by the IT department that it had been. This means the server had not received any updates or patches for more then a year.
- The third breach was discovered on May 4th when the university noticed that someone gained unauthorized access to server housing information used by the university’s Hudson Health Center. The compromised server contained personal information on 60,000 individuals.
- The fourth and fifth breaches were discovered on May 23rd when a forensic scan detected that a server housing IRS 1099 forms for vendors and contractors and a server used for online business transactions containing personal and credit card information had been compromised. 

In the end, 5 servers were found to be affected. All told, 367,000 personal files containing 173,000 SSNs were compromised. Emergency repair and notifications cost the university over $800,000.

The university fired 2 IT administrators and the CIO resigned.

What was the response
Ohio University’s response this series of breaches has been, for the most part, outstanding. As one would expect, all of the affected servers were immediately taken offline and investigations launched. However, there is much more to the university’s response then simple rote take down and investigate. 
- The university spent a large amount of time and money notifying those affected. The university utilized web pages, e-mail and postal mail to alert over 300,000 individuals about the different breaches. The result, the university received over 8,000 calls to the information hotline, 800 e-mails and letters of complaint and over 35,000 hits to the web site about the breaches. 
- The university spent nearly $100,000  on breach notifications
- The university formed an IT-oversight committee
- The university hired consultant firms to perform full risk assessments 
 - The findings were that the IT office was significantly understaffed and the outsourcing the university had was doing was not a good option for the future.
- From these findings that committee put together a 20-point action plan titled “Blueprint for Building a World-Class IT Function at Ohio University”
- Within three weeks of the breaches the university had spent $750,000 on emergency response fixes and will likely need an additional 7-10 million based on the consultants report.
- Ohio University has continued to talk about this breach openly and honestly.
 - OU President Roderick McDavis wrote an essay for the Chronicle of Higher Education titled “What Ohio U. Learned From a Major IT Crisis”. In this eassy McDavis is candid and open about the breaches and states that the Ohio University community did not take IT seriously enough. As for one of the key lessons learned by Ohio University, McDavis states that continuity is key and that it is important to openly share positive and negative information.
- These are more then just words in an essay. Ohio University has taken the opportunity to speak publicly about these breaches including a seminar at the 2008 educause security professionals conference.

What went wrong
- There were several issues at work causing these breaches, but all of them come down to McDavis’ statement that the university did not take IT seriously. 
 - In 2004, Stephen Kopp then the provost wrote to the Chronicle of Higher education that the computer services had grown through “spontaneous mushrooming of IT people on campus”. A report from a consultant confrimed this view describing the IT departments on campus as an “adhocarcy” characterized by poor communications and genderal mistrust among administrators, duplicated tasks and resources, and a lock of a unified strategic decision making. 
- Thomas Reid  director of communication-network services who was fired from the university after these breaches said he had tried repeatedly to warn supervisors about the security risks since 1998. According to Mr. Reid much of the blame can be tied to a significant reduction in IT budget, 1 million in 2 years and lack of clear IT management. Mr Reid had 13 bosses in 22 years. 
- In the end, this same exact environment can be found at many educational institutions. Ohio University was not unique in these issues.

Links for more information
OU news release about the breaches
http://www.ohio.edu/outlook/05-06/May/485n-056.cfm
An excellent breakdown of the incident (Subscription required) 
Wasley, Paula. “More Holes Than a Pound of Swiss Cheese” The Chronicle of Higher Education <http://chronicle.com/weekly/v53/i06/06a03901.htm> 
Articles about the breaches
Sandoval, Greg “University server in hackers’ hands for a year” CNet News.com <http://ecoustics-cnet.com.com/University+server+in+hackers+hands+for+a+year/2100-7349_3-6074739.html>
Vijayan, Jalkumar “Ohio University reports two separate security breaches” Computerworld <http://www.computerworld.com/databasetopics/data/story/0,10801,111113,00.html>
OU President McDavis’ essay about the breaches (Subscription Required)
McDavis, Roderick J. “What Ohio U. Learned From a Major IT Crisis” The Chronicle of Higher Education <http://chronicle.com/weekly/v54/i30/30b00501.htm>
A good wright-up of President McDavis’ essay
Heck, Richard “McDavis writes of computer breach in national publication” The Athens Messenger <http://www.athensmessenger.com/main.asp?SectionID=1&SubSectionID=273&ArticleID=9592&TM=42628.33>
Ohio University data theft web site
http://www.ohio.edu/datatheft/index.cfm

If you believe the Jericho Forum has called for the end to firewalls, then you need to stop what you’re doing and take a listen to this month’s Security Roundtable.

After attending an interesting discussion during RSA, Martin and I invited the Jericho Forum to join us at the roundtable to talk more about what Jericho Forum is, an what it does. We learned a lot and share the discussion with you…

Joining us on the program:

 

• Michael Santarcangelo - The Security Catalyst and author of Into the Breach
• Martin McKeay - Host of the Network Security Podcast and Captain Privacy
• Chris Hoff - Luminary and Jogger
• Paul Simmonds (bio below) - Co-Founder Jericho Forum
• Shane Buckley (bio below) - CEO Rohati Systems

 

 

Learn more about Jericho Forum: http://www.opengroup.org/jericho/

 

 

Paul Simmonds, Co-founder and board of management Jericho Forum  & former CISO, ICI
Until May 2008 Paul Simmonds was the CISO at ICI (www.ici.com). Paul’s varied career has included Electronic counter-measures, Theatre Lighting, North Sea Oil control systems, JET (Nuclear Fusion Research) and commercial radio. Prior to joining ICI in 2001 he was Head of Information Security with a high security web hosting company and before that spent seven years with Motorola, as global information security manager. 

Paul was awarded European Chief Security Officer of the year at the 2005 SC Magazine Awards and is listed in both the 2004 & 2005 global top 50 most powerful people in networking by the US publication Network World.  Paul sits on the management board of the Jericho Forum and the Executive Advisory Board of ISSA UK. He also is a British Canoe Union Level 3 Kayak Coach.

 

Shane Buckley, President & CEO, Rohati Systems, Inc.

Shane Buckley is the President and Chief Executive Officer at Rohati Systems, Inc. Buckley comes to Rohati with more than 20 years of global executive and general management expertise, having held senior executive positions in the United States, Europe, the Middle East and Asia-Pacific.

 

Before taking the helm at Rohati, Buckley served as Chief Operating Officer at Nevis Networks, Inc. a leader in network access control. Previously, he was Vice President of Worldwide Enterprises for Juniper Networks. Prior to that, he served as the International President of Peribit Networks, the leader in Network Optimization. Juniper Networks purchased Peribit in June 2005 for $380M. Before Peribit, Buckley served as Chief Executive Officer of Conduit Software, a provider of Directory Assistance and Wireless Applications solutions. Previously, he was Vice President, EMEA at 3Com. In this role, he managed a $2.2 billion business unit and was responsible for 3Com’s distribution strategy, OEM partnerships and reseller channels. Buckley also chaired 3Com’s Global Distribution Council, was a member of the company’s worldwide OEM steering team, and served as 3Com’s head of operations for the Asia-Pacific Region based in Hong Kong and Tokyo. 

 

Buckley is a frequent speaker at high-level industry trade shows and events such as Gitex, CeBIT and The Wall Street Journal Europe conference. He has also contributed to a number of magazines and news programs including MSNBC, SABC and Middle East Business news. He holds an engineering degree from the Cork Institute of Technology in Ireland.