The University of Wisconsin-Milwaukee (UWM) discovered a malware infection on one of its servers in May 2011 that compromised the social security numbers of 75,000 staff and students. The infected server was shut down and authorities were called to investigate. In June, UWM determined the malware had accessed the social security numbers. No identity theft or suspects were found. In August, UWM notified the affected individuals and asked them to monitor their credit reports, and updated security on its servers.

1. (2011) Security Breach Compromises 75,000
Staff/Student Social Security Numbers
Image from this Site
Presenters: Aron Eisold, Matt Mickelson, Bryce Nelson, Benjamin Nikolay

2.  UWM discovered Malware Infection, May 25, 2011
 Affected Server was Immediately Shutdown
 Authorities were called in to investigate
Image from this Site
("Information on Computer," 2011)

3.  UWM found Malware had access to SSNs, June 30,
2011
 No evidence of Identity Theft was found
 No suspects were found
View TMJ News Video - http://www.todaystmj4.com/news/local/127459218.html
("Information on Computer," 2011)

4.  UWM notified effected individuals, August 10, 2011
 They were asked to monitor their credit reports
 UWM updated security on Servers
Image from this Site
("Information on Computer," 2011)

5. Evaluate Analyze Synthesize

6. Analyze Synthesize
 UWM Objective Failure
 Security was updated
in reaction to Breach
 Risk Management
Training
 Re-evaluation of IS
roles and
responsibilities
 Risk Assessment
 Regular Business/IT
Management Meetings
 Cost = $8118
Image from this Site

7. Analyze Synthesize
 UWM Objective Failed
 Inferred malware
access obtained via
weak Admin password
 Dictionary Attack
 Use Radom Password
Generator
 Setup automated
Password Expiration
 Password History
 ACL Access Limitation
 Hardware and Port
Lockdown
 Cost = $minimal
Image from this Site

8. Analyze Synthesize
 UWM Objective Passed
 UWM has a solid
“Admin Access” policy
 No Recommendations
Needed
Image from this Site

9. Analyze Synthesize
 UWM Objective Passed
 UWM requires use of
“Strong” Passwords
 Multiple characters
types required
 No Recommendations
Needed
Image from this Site

10. Analyze Synthesize
 UWM Objective Passed
 UWM requires use of
“Strong” Passwords
 Auditing of Passwords
is performed randomly
 No Recommendations
Needed
Image from this Site

11. Analyze Synthesize
 UWM Objective Failed
 Inferred - Server
Admin. Account
Compromised
 Delay in recognition of
illicit activity
 Provide users history
of prev. activity at
login.
 Implement Active
Directory Audit Tool
(AD Audit Plus)
 Cost = $7680 annually
Image from this Site

12. Analyze Synthesize
 UWM Objective Failed
 Insufficient audit trail
to catch the intruders
 Far too much elapsed
time before those
affected were notified
 Verify existing
configuration / make
changes (Windows Group
Policy / Auditing tools)
 Research and assess
possible 3rd party tools
 Cost – Variable or
minimal, depending on
option selected

13. Analyze Synthesize
 UWM Objective Passed
 Sensitive data
classifications do exist
 Data was separated
and housed on
different systems
 No Recommendations
needed

14. Analyze Synthesize
 UWM Objective Passed
 Scalability as an
enterprise level
network
 Thousands of user
accounts and various
types
 No Recommendations
needed

15. Analyze Synthesize
 UWM Objective Failed
 Security activity was
insufficiently logged
 Inability to track/catch
the attacker
 Checked and escaladed
on a regular basis?
 Refer to 5.7
recommendations
 “Common Sense
Security Auditing”
 Cost – Variable,
depending on route
taken

16. Analyze Synthesize
 UWM Objective Failed
 Attackers were never
caught
 2 months had elapsed
before notifying those
affected
 Continuously evaluate
system/audit security
on a regular basis
 Evaluate/revise
procedures and
auditing as necessary
 Cost – variable to
minimal

17. Analyze Synthesize
 UWM Objective Passed
 UWM will setup times
to perform audits on
their network
 No Recommendations
Needed

18. Analyze Synthesize
 UWM Objective Failed
 Hacker gained access
through open firewall
ports
 Purchase and install a
new firewall
 SonicWall NSA E7500
 Features Next-
Generation Firewall, &
Intrusion Prevention.
 Cost = $35,339
Image from this Site

19. Analyze Synthesize
 UWM Objective Failed
 UWM’s spyware failed
to deny the outside
attacker from gaining
access.
 Purchase security add-
ons to the NSA E7500
firewall.
 Included is anti-virus
and spyware, and
application intelligence
on the firewall.
 Cost = $14,514 for 3
years.

20. Analyze Synthesize
 UWM Objective
Irrelevant
 There were no
transactions or digital
signatures needed in
this type of security
breach.
 No Recommendations
Needed

21. Analyze Synthesize
 UWM Objective Passed
 UWM has a excellent
records and retention
policy to explain how
to transfer data.
 No Recommendations
Needed

22. Analyze Synthesize
 UWM Objective Passed
 Malware bypassed
tamperproof security
measures
 Security design of
infrastructure kept
confidential
 No Recommendations
Needed

23. Analyze Synthesize
 UWM Objective Failed
 Cryptography
Encryption Keys were
not used
 Unlikely attackers
accessed data
 Implement asymmetric
database encryption
 Use DSS encryption
technology with private
and public keys
 Cost - $12,500

24. Analyze Synthesize
 UWM Objective Failed
 Failed to prevent the
malware to install
 Physical firewall and
configuration remained
private
 Symantec Endpoint
Protection 12.1
 SEPM Training for IT
department
 Policy and Procedure
creation and
implementation
 Cost - $40.89 per
device per year
$3761.57 for training

25. Analyze Synthesize
 UWM Objective Passed
 No data was
transmitted to the WAN
 Firewall did not play a
role in this incident
 No Recommendations
Needed

26. Analyze Synthesize
 UWM Objective
Irrelevant
 Integrity of physical
mechanisms
maintained
 Unrelated to physical
access or
authentication of
foreign devices.
 No Recommendations
Needed

27. EASy as Pie!

28. EASy as Pie!

29. EASy as Pie!