The document summarizes issues with IT infrastructure and administration at an urban university. There was a lack of coordination and information sharing between departments that had their own servers, leading to insecure networks. When servers were consolidated and budget cuts reduced IT staffing, vulnerabilities increased. A hacking incident compromised multiple servers and workstations across the university's domains. Immediate response involved isolating systems, applying patches, and hiring experts. Long-term changes aimed to improve security through policies, configurations, and analysis to prevent future attacks. However, the full extent of the compromise was still unknown and the hacker was not investigated.
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Ct2 presentation stevens
2. An urban university that caters to mostly
commuter students
Diverse range of technologies that strive
for a high level of security
Any dept. can set up servers that are
administered by people with other
primary duties
Not reporting servers creates vulnerable
internal networks
3. Some departments work well together
and share information
“Towers of power” do not like to engage
with others outside of their group
These different working styles lead to a
lack of consistency and accountability
Miscommunication caused issues with
the server and domain structure
› No firewall= open to hacking
4. Departments were reorganized
Towers of power restructured
All servers were moved to the computer
center to handle server administration
› This change was met with resistance
› Unsecured subnet moved to the center
› System administrators continued to monitor
the systems remotely even though this duty
was transferred to the computer center
5. Budget cuts led to many departmental IS
support personnel to be laid off
› Depts. had to rely on existing IT infrastructure
› Depts. with responsibilities in support areas
also lost staff and had to pick up the slack
Decision was made to replace hardware
› Replacement servers agreed upon
› This project was delayed several months
› Replacements “linked to a migration to the
university active directory forest” (p. 329)
6. System administrator logged on remotely
and noticed a new folder on desktop
User ID “Ken” with administrative rights
was created over the weekend
Security settings were okay, but process
to examine open files was disabled
This raised suspicions that the system was
hacked
7. Both system administrators talked on the
phone and decided to:
› Disconnect the system from the network
› Notify the university security team
› Review the system to figure out the
magnitude of the breach
Determined a Trojan was installed
Other personnel were notified and new
Microsoft patches were applied to
servers
8. Two other servers were compromised too
Client system TAPI2 service compromised
› Access gained by user ID w/ ID as password
DameWare Trojan program found on
server_1
Entire domain was compromised
PDC in 2nd domain also compromised
2 member servers and 100+ workstations
also had to treated as suspicious
9. Servers were cleaned
Firewall configuration
A stricter password policy was created
Computer forensics expert was
contracted to certify all systems were
clean and restore systems to full
functionality
10. Summary and analysis written to for
system administrators to prevent future
attacks
Standard server configurations modified
to improve reporting statuses
Password policy became permanent
Invalid domain accounts were removed
Suggested to delete administrative
shares and have batch files disable them
11. Did the immediate counterattack
actions help the university in any way?
› Yes. Wiping all the servers clean, removing
malware, making lists of ports to aid in
firewall configuration, and implementing a
password policy were the logical and
necessary steps to take immediately
› Hiring computer forensic experts was a
prudent move
12. Were the long-term counterattack
actions taken adequate for SU?
› Yes and No. Writing after-action reports and
analyses are important to prevent future
attacks
› Improving system reports in the server
configuration and making a permanent
password policy were good measures
› Full extent of the compromise is still unknown
› Did not investigate the hacker
13. In what ways, if any, do you think the poor
corporate culture of university personnel
contributed to the hacking incident?