Not Real University University Data Breach
Three questions in total require 250 words
NotReal University (NRU) is a small public university located in Iowa
NRU uses a transaction management system.
Students are issued a card tied to the system
The cards can be used for meals from the on-campus meal plans.
In addition to the meal plans, the transaction management system handles virtual dollars. Students and parents can add funds to the cards that can be used at various vendors, such as the campus bookstore and selected off-campus stores and restaurants.
The transaction management system is hosted and administered at the university.
For political reasons, control of the system is spread among several organizations at the university.
The Information Technology division manages the servers
The Finance division is responsible for overall system administration
The Administrative Support Service division manages relationships with on-campus and off-campus vendors
The transaction management system is a profit center for the university. Last year, it generated about $800,000 for NRU from commissions on vendor sales.
The system hosts a significant amount of personally identifiable information (PII), such as the users’ names, addresses, phone numbers, and student id numbers.
System operational control and security are lax
There are no formal, written processes for managing the system
Administrators learn “on the job.” Don, the overall system administrator in the finance division, is an accountant with little system administration or security training, who manages the system in addition to other job duties.
Authentication is handled by username/password
Users come from Information Technology, Finance, and Administrative Support Services divisions. Users are assigned to groups based on their job functions: each group has different but limited access based on their job functions
There are several administrators from each group with full access
System events are logged, but events can only be seen at the group level. For example, a log reviewer can learn that someone from Finance made a change, but not which user made the change.
While going through log files to see if a patch was working correctly, an administrator from Information Technology noted that a significant amount of data, including PII, was exported by an administrator at 2am that morning. He reported this suspicious occurrence and the university hired an external security auditor to investigate.
The auditor knew only that someone from the administrator group exported the data. The specific administrator account that was used could not be determined.
The auditor first wanted to know if the leak was an internal job or an external attacker. He found several vulnerabilities that an external attacker could have exploited.
There were over 50 orphan accounts that were either never closed when the user left the university or were set up (with a default password) but were never used.
Usernames are first initial, last name. (For example, jsmith). Since employee names are available through the website, it would be easy for an attacker to know valid usernames.
Passwords were not well-controlled. They were never required to be changed and could be very simple. Users shared username/passwords with student workers, temporary employees, and contractors through email or on the phone.
The auditor interviewed administrators from each division to see if he could determine if an internal administrator accessed the information. No one admitted it.
During the interviews, an administrator in Information Technology stated that he had given the IP address of the transaction management system server to an external contractor who was upgrading other servers at the university by phone.
The Results and the Aftermath
The auditor finally determined that the external contractor had stolen the information.
The contractor noticed the poor security and thought he could steal valuable PII without being detected
Once he had the IP address of the server, he used attack tools to exfiltrate the password file, and get an administrator’s username and encrypted password from it. Since the password was only three letters long, he was able to crack it quickly.
He then used the administrative access to export the PII.
500 students had their information compromised
The university was forced to announce the breach, with the resulting bad publicity
The university offered the victims additional money on the transaction management card and free credit monitoring
Questions – Deliverables
The actual attack was social engineering, where the administrator was tricked into giving sensitive information (the IP address of the server) to the attacker. How should the university prevent this kind of attack in the future?
There are several problems with access control and authentication of users. What are they and how should the university resolve these problems?
There are several problems with the management of the system. What are they and how should the university resolve these problems?
We offer the bestcustom writing paper services. We have done this question before, we can also do it for you.
Why Choose Us
- 100% non-plagiarized Papers
- 24/7 /365 Service Available
- Affordable Prices
- Any Paper, Urgency, and Subject
- Will complete your papers in 6 hours
- On-time Delivery
- Money-back and Privacy guarantees
- Unlimited Amendments upon request
- Satisfaction guarantee
How it Works
- Click on the “Place Order” tab at the top menu or “Order Now” icon at the bottom and a new page will appear with an order form to be filled.
- Fill in your paper’s requirements in the "PAPER DETAILS" section.
- Fill in your paper’s academic level, deadline, and the required number of pages from the drop-down menus.
- Click “CREATE ACCOUNT & SIGN IN” to enter your registration details and get an account with us for record-keeping and then, click on “PROCEED TO CHECKOUT” at the bottom of the page.
- From there, the payment sections will show, follow the guided payment process and your order will be available for our writing team to work on it.