22
Sun, Dec
3 New Articles

A Disgrace of Network Security

Commentary
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Ever wonder about the poor guys who get caught in the middle of a nationally disclosed IT security breach? Take the case of the two Ohio University IT administrators that has been recently covered in the news. It's a sad commentary on the health of IT security, the peregrinations of large organizations, and the ignorance of management.

Career IT Employees

Tom Reid was Director of Communication Network Services and Computer Services at OU, and Todd Acheson was Manager of Internet and Systems. Both had long careers spanning more than 20 years at OU, but they were relatively new to their positions of administrative responsibility. They had risen through the ranks from cogs in the massive IT organization, and they had both seen the sudden rise in the importance and the complexity of the Internet and security. Both had received glowing reviews from their superiors this last year, including commendations from Bill Sams, CIO and Associate Provost for Information Technology.

Stumbling Upon Catastrophe

Then, on April 23, a routine sweep of servers noted an unusually large amount of activity at the university's alumni center. What could cause such an increase in activity? A quick investigation showed that files containing almost 137,000 alumni records—files that had been believed to have been behind a firewall—were being accessed by persons unknown on the Internet.

Of course, immediate action was taken to determine what files were affected, but it was concluded that the server was actually first compromised long before, in March of 2005. The most troubling part of the discovery was that the files contained alumni Social Security numbers. This meant that the FBI needed to be called in, and a complete review of IT security was required.

A History of Stumbling

Ohio University had had a troubled IT organization for many years. It had run without a CIO for more almost two years before Bill Sams was hired as Associate Provost for IT and Chief Information Officer. Sams became the sixth CIO in 10 years to try to bring the institution's unruly IT organization into the 21st century. Most mid-level administrators within the large department had risen up through the ranks, many starting as students. Bill Sams, by comparison, was from the Silicon Valley with more than 25 years of experience. If anyone could fix IT, the university officials reasoned, perhaps Sams—with his outside expertise—would be the one.

Of course, the first thing he did was to begin reorganization.

The Reorganization of IT

As part of a university-wide austerity measure instituted by the OU president, Roderick McDavis, budget cuts were enacted. As CIO, Sams was asked to reduce the IT budget by $1 million, including a 3% reduction in 2005 and a 12% reduction in 2006. Sams said he was given "targets" to hit by the university. "We try to be good soldiers if the university needs to cut things," he said.

On the face of things, the security breach on the alumni server appeared to be a result of these budget cuts: With fewer IT resources at its disposal, an older server had been placed into service without adequate protection. The files on the machine were not even supposed to be there. It was just an honest mistake, an accident of time and resources.

But then things started to quickly unravel at Ohio University. Alumni were outraged that their personal information, including Social Security numbers, was compromised. And the review of security on other servers by the FBI revealed other places where server security had been breached.

What They Didn't Know

In all, five more servers were identified as "compromised," including a Health Services machine containing medical records and a university computer that housed IRS 1099 tax forms for 2,480 vendors and independent contractors who worked for the university between 2004 and 2005. The university also discovered that a computer hosting a "variety of Web-based forms" that included class lists containing the Social Security numbers of about 4,900 current and former students had been accessed. At latest count, more than 365,000 personal identities had been "compromised."

The Buck Stops...Where?

It was the perfect storm, as far as the administration was concerned. The breaches made national news, and the local newspapers were calling for "heads to roll." Alumni were calling in to complain, and lawsuits were being prepared. So the administration needed a few sacrifices on the altar of IT to appease the mob.

Tom Reid (the Director of Communication Network Services and Computer Services) and Todd Acheson (Manager of Internet and Systems) looked like good candidates. They were suspended.

Enter Stage Right: The Consultants

A consulting group, Moran Technology Consulting of Naperville, Illinois—a group that already had a large $300K contract with the university—was given a new contract to review security and assign blame. (It is not clear if they also provided the personnel to fill the vacancies of Reid and Acheson.) Their study, called "The Moran Report," interviewed employees within IT and eventually laid the bodies of the suspended employees at the administration's altar. The reason? Well, it wasn't clear because, oddly, their interview notes went missing for more than a month. Nonetheless, Sams summarily fired Reid and Acheson.

The Outrage!

The response from OU president, Roderick McDavis was typical. "I am angry and embarrassed by the computer security system lapses that were undetected before my time as leader of the university," McDavis said.

Meanwhile, as the scandal progressed, Bill Sams himself resigned, pending the hiring of a replacement. About the same time, Reid and Acheson filed a complaint with the university's grievance committee, and that committee's three-page report exonerating the former employees of responsibility or blame was forwarded to the university's provost, Kathy Krendl. Nonetheless, on November 15, 2006, Krendl upheld the decision to fire them.

"I must conclude that responsibility for designing and maintaining a secure network resided in your office," Krendl wrote in separate two-page letters to Reid and Acheson. "I support Mr. Sams' finding of nonfeasance, noting that this finding does not indicate any intentional or purposeful wrongdoing. It does not indicate that you intended to put our data at risk, but in fact, that was the result of failing to take the necessary proactive steps to protect confidential information."

Enter Stage Left: The Lawyers

Of course, lawsuits have now been filed on behalf of the fired employees, careers have been ruined, and calls for Krendl's resignation are starting to be heard from employee rights groups. The blood bath is far from over.

The Remedy

Ironically, the university's trustees have now allocated $4 million for a complete review and redesign of IT security: A windfall for some lucky consulting company! (Moran Technology Consulting?) So much for all those budgetary savings over the past four years!

And the fate of those 365,000 alumni and students and contractors whose identities were compromised? Lawyers are said to be assembling a class action suit against the university, claiming malfeasance and negligence. What is the potential value of the claim? Who will pay? Ohio University is a state-funded institution: The final settlement bill could potentially fall at the doorsteps of the taxpayers, many of whom were victims of the breaches themselves.

The Reality

To say that all this could have been avoided is absurd. Acheson and Reid did not create the problems. Sams did not create the problems. Clearly, Krendl and McDavis do not feel that they are to blame. In fact, the university itself did not create this catastrophe. It just happened because no one succeeded in adequately protecting information assets that were treated with a certain level of nonchalance by generations of IT and university administrators. Though the threat of identity theft was not unknown to any of them, it was merely given a lower priority—over time—as the technology of hacking rapidly advanced.

These were merely individuals and an institution struggling to keep up with those same advancements of technology. However, the threats that they seemed focused upon were not the threats that proved their undoing.

Unfortunately, it would probably be fair to say that the threats that they are currently trying to remediate are also not the threats that will prove their future undoing. They are responding now to threats they do not fully comprehend. They are like chaff caught in a cross-cut buzz saw of technological change.

The Future

Meanwhile, no one knows who hacked the systems. No one knows for certain if the files that were breached were actually stolen. No one knows whether even one single person's identity has really been compromised. All anyone knows for certain is that somebody on the Internet peeked in, was looking around, and left a record of his presence. A visitor? A spook? A kid from a home computer? A terrorist from Al Qaeda? No one knows!

Alas, that is the true measure of their security. And, of course, it could never happen to you!

Thomas M. Stockwell is Editor in Chief of MC Press Online, LP.

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: