The document summarizes issues with IT infrastructure and administration at an urban university. There was a lack of coordination and information sharing between departments that had their own servers, leading to insecure networks. When servers were consolidated and budget cuts reduced IT staffing, vulnerabilities increased. A hacking incident compromised multiple servers and workstations across the university's domains. Immediate response involved isolating systems, applying patches, and hiring experts. Long-term changes aimed to improve security through policies, configurations, and analysis to prevent future attacks. However, the full extent of the compromise was still unknown and the hacker was not investigated.

2.  An urban university that caters to mostly
commuter students
 Diverse range of technologies that strive
for a high level of security
 Any dept. can set up servers that are
administered by people with other
primary duties
 Not reporting servers creates vulnerable
internal networks

3.  Some departments work well together
and share information
 “Towers of power” do not like to engage
with others outside of their group
 These different working styles lead to a
lack of consistency and accountability
 Miscommunication caused issues with
the server and domain structure
› No firewall= open to hacking

4.  Departments were reorganized
 Towers of power restructured
 All servers were moved to the computer
center to handle server administration
› This change was met with resistance
› Unsecured subnet moved to the center
› System administrators continued to monitor
the systems remotely even though this duty
was transferred to the computer center

5.  Budget cuts led to many departmental IS
support personnel to be laid off
› Depts. had to rely on existing IT infrastructure
› Depts. with responsibilities in support areas
also lost staff and had to pick up the slack
 Decision was made to replace hardware
› Replacement servers agreed upon
› This project was delayed several months
› Replacements “linked to a migration to the
university active directory forest” (p. 329)

6.  System administrator logged on remotely
and noticed a new folder on desktop
 User ID “Ken” with administrative rights
was created over the weekend
 Security settings were okay, but process
to examine open files was disabled
 This raised suspicions that the system was
hacked

7.  Both system administrators talked on the
phone and decided to:
› Disconnect the system from the network
› Notify the university security team
› Review the system to figure out the
magnitude of the breach
 Determined a Trojan was installed
 Other personnel were notified and new
Microsoft patches were applied to
servers

8.  Two other servers were compromised too
 Client system TAPI2 service compromised
› Access gained by user ID w/ ID as password
 DameWare Trojan program found on
server_1
 Entire domain was compromised
 PDC in 2nd domain also compromised
 2 member servers and 100+ workstations
also had to treated as suspicious

9.  Servers were cleaned
 Firewall configuration
 A stricter password policy was created
 Computer forensics expert was
contracted to certify all systems were
clean and restore systems to full
functionality

10.  Summary and analysis written to for
system administrators to prevent future
attacks
 Standard server configurations modified
to improve reporting statuses
 Password policy became permanent
 Invalid domain accounts were removed
 Suggested to delete administrative
shares and have batch files disable them

11.  Did the immediate counterattack
actions help the university in any way?
› Yes. Wiping all the servers clean, removing
malware, making lists of ports to aid in
firewall configuration, and implementing a
password policy were the logical and
necessary steps to take immediately
› Hiring computer forensic experts was a
prudent move

12.  Were the long-term counterattack
actions taken adequate for SU?
› Yes and No. Writing after-action reports and
analyses are important to prevent future
attacks
› Improving system reports in the server
configuration and making a permanent
password policy were good measures
› Full extent of the compromise is still unknown
› Did not investigate the hacker

13. In what ways, if any, do you think the poor
corporate culture of university personnel
contributed to the hacking incident?