Ever wonder about the poor guys who get caught in the middle of a nationally disclosed IT security breach? Take the case of the two Ohio University IT administrators that has been recently covered in the news. It's a sad commentary on the health of IT security, the peregrinations of large organizations, and the ignorance of management.
Career IT Employees
Tom Reid was Director of Communication Network Services and Computer Services at OU, and Todd Acheson was Manager of Internet and Systems. Both had long careers spanning more than 20 years at OU, but they were relatively new to their positions of administrative responsibility. They had risen through the ranks from cogs in the massive IT organization, and they had both seen the sudden rise in the importance and the complexity of the Internet and security. Both had received glowing reviews from their superiors this last year, including commendations from Bill Sams, CIO and Associate Provost for Information Technology.
Stumbling Upon Catastrophe
Then, on April 23, a routine sweep of servers noted an unusually large amount of activity at the university's alumni center. What could cause such an increase in activity? A quick investigation showed that files containing almost 137,000 alumni records—files that had been believed to have been behind a firewall—were being accessed by persons unknown on the Internet.
Of course, immediate action was taken to determine what files were affected, but it was concluded that the server was actually first compromised long before, in March of 2005. The most troubling part of the discovery was that the files contained alumni Social Security numbers. This meant that the FBI needed to be called in, and a complete review of IT security was required.
A History of Stumbling
Ohio University had had a troubled IT organization for many years. It had run without a CIO for more almost two years before Bill Sams was hired as Associate Provost for IT and Chief Information Officer. Sams became the sixth CIO in 10 years to try to bring the institution's unruly IT organization into the 21st century. Most mid-level administrators within the large department had risen up through the ranks, many starting as students. Bill Sams, by comparison, was from the Silicon Valley with more than 25 years of experience. If anyone could fix IT, the university officials reasoned, perhaps Sams—with his outside expertise—would be the one.
Of course, the first thing he did was to begin reorganization.
The Reorganization of IT
As part of a university-wide austerity measure instituted by the OU president, Roderick McDavis, budget cuts were enacted. As CIO, Sams was asked to reduce the IT budget by $1 million, including a 3% reduction in 2005 and a 12% reduction in 2006. Sams said he was given "targets" to hit by the university. "We try to be good soldiers if the university needs to cut things," he said.
On the face of things, the security breach on the alumni server appeared to be a result of these budget cuts: With fewer IT resources at its disposal, an older server had been placed into service without adequate protection. The files on the machine were not even supposed to be there. It was just an honest mistake, an accident of time and resources.
But then things started to quickly unravel at Ohio University. Alumni were outraged that their personal information, including Social Security numbers, was compromised. And the review of security on other servers by the FBI revealed other places where server security had been breached.
What They Didn't Know
In all, five more servers were identified as "compromised," including a Health Services machine containing medical records and a university computer that housed IRS 1099 tax forms for 2,480 vendors and independent contractors who worked for the university between 2004 and 2005. The university also discovered that a computer hosting a "variety of Web-based forms" that included class lists containing the Social Security numbers of about 4,900 current and former students had been accessed. At latest count, more than 365,000 personal identities had been "compromised."
The Buck Stops...Where?
It was the perfect storm, as far as the administration was concerned. The breaches made national news, and the local newspapers were calling for "heads to roll." Alumni were calling in to complain, and lawsuits were being prepared. So the administration needed a few sacrifices on the altar of IT to appease the mob.
Tom Reid (the Director of Communication Network Services and Computer Services) and Todd Acheson (Manager of Internet and Systems) looked like good candidates. They were suspended.
Enter Stage Right: The Consultants
A consulting group, Moran Technology Consulting of Naperville, Illinois—a group that already had a large $300K contract with the university—was given a new contract to review security and assign blame. (It is not clear if they also provided the personnel to fill the vacancies of Reid and Acheson.) Their study, called "The Moran Report," interviewed employees within IT and eventually laid the bodies of the suspended employees at the administration's altar. The reason? Well, it wasn't clear because, oddly, their interview notes went missing for more than a month. Nonetheless, Sams summarily fired Reid and Acheson.
The Outrage!
The response from OU president, Roderick McDavis was typical. "I am angry and embarrassed by the computer security system lapses that were undetected before my time as leader of the university," McDavis said.
Meanwhile, as the scandal progressed, Bill Sams himself resigned, pending the hiring of a replacement. About the same time, Reid and Acheson filed a complaint with the university's grievance committee, and that committee's three-page report exonerating the former employees of responsibility or blame was forwarded to the university's provost, Kathy Krendl. Nonetheless, on November 15, 2006, Krendl upheld the decision to fire them.
"I must conclude that responsibility for designing and maintaining a secure network resided in your office," Krendl wrote in separate two-page letters to Reid and Acheson. "I support Mr. Sams' finding of nonfeasance, noting that this finding does not indicate any intentional or purposeful wrongdoing. It does not indicate that you intended to put our data at risk, but in fact, that was the result of failing to take the necessary proactive steps to protect confidential information."
Enter Stage Left: The Lawyers
Of course, lawsuits have now been filed on behalf of the fired employees, careers have been ruined, and calls for Krendl's resignation are starting to be heard from employee rights groups. The blood bath is far from over.
The Remedy
Ironically, the university's trustees have now allocated $4 million for a complete review and redesign of IT security: A windfall for some lucky consulting company! (Moran Technology Consulting?) So much for all those budgetary savings over the past four years!
And the fate of those 365,000 alumni and students and contractors whose identities were compromised? Lawyers are said to be assembling a class action suit against the university, claiming malfeasance and negligence. What is the potential value of the claim? Who will pay? Ohio University is a state-funded institution: The final settlement bill could potentially fall at the doorsteps of the taxpayers, many of whom were victims of the breaches themselves.
The Reality
To say that all this could have been avoided is absurd. Acheson and Reid did not create the problems. Sams did not create the problems. Clearly, Krendl and McDavis do not feel that they are to blame. In fact, the university itself did not create this catastrophe. It just happened because no one succeeded in adequately protecting information assets that were treated with a certain level of nonchalance by generations of IT and university administrators. Though the threat of identity theft was not unknown to any of them, it was merely given a lower priority—over time—as the technology of hacking rapidly advanced.
These were merely individuals and an institution struggling to keep up with those same advancements of technology. However, the threats that they seemed focused upon were not the threats that proved their undoing.
Unfortunately, it would probably be fair to say that the threats that they are currently trying to remediate are also not the threats that will prove their future undoing. They are responding now to threats they do not fully comprehend. They are like chaff caught in a cross-cut buzz saw of technological change.
The Future
Meanwhile, no one knows who hacked the systems. No one knows for certain if the files that were breached were actually stolen. No one knows whether even one single person's identity has really been compromised. All anyone knows for certain is that somebody on the Internet peeked in, was looking around, and left a record of his presence. A visitor? A spook? A kid from a home computer? A terrorist from Al Qaeda? No one knows!
Alas, that is the true measure of their security. And, of course, it could never happen to you!
Thomas M. Stockwell is Editor in Chief of MC Press Online, LP.
More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.
TRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now! Request Now.
Forms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.
Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:
Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.
IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn:
LATEST COMMENTS
MC Press Online