Data Breach & Cybersecurity Leadership Practices - Case Study : UMUC 2014

In February of 2014, the University of Maryland suffered a breach in their system in which more than 280,000 records were copied. These records contained personal information from the students and faculty dating back to the early 1990s, including their names, university ID numbers, and social security numbers. (Organization List).  In that same month, a second breach occurred the following month by a disgruntled ex-contractor who had warned of the flaws in the system and wanted to call attention to inherent security flaws (Dance, 2014). Though no information was stolen in the second breach, this hack threw up red flags as to whether or not UMD was actually working to prevent attacks like the first in the future.

Brian Voss, the Chief Information Officer of the University of Maryland at the time of the breaches, lost his job in March of 2014, a month following them. The fault of both of these breaches landed on a neglectful cybersecurity department, insufficient firewalls and other protective system, and intelligent hackers that were aware of both of these situations. If  cybersecurity roles such as identifying threats that could affect the security of the system and auditing systems for security compliance purposes were stronger from the beginning, the breaches could have been prevented.

A main recommendation to prevent further attacks is implementing strong and encouraging leadership at the CIO position who will focus on the necessity of a secure and impenetrable security system. In an information age like today, securing personal information is vital, and a strong leader to encourage his department is a key in a secure cyber security department. In addition to a solid  department head, constant tests and updates to the systems by cybersecurity professionals employed by UMD should be encouraged to avoid further breaches.

Case Study

The University of Maryland suffered two different data breaches over the span of a month. The first attack has been classified as a highly sophisticated one. The hackers first uploaded a trojan to a university photo-sharing site using the Tor network to hide their identity. From this, they were able to steal and change an IT administrator password. They used this single password to access a database containing the names, university IDs, and social security numbers of certain students and staff dating back to 1992 (Pham, 2014). It is suspected that once the hackers gained access to this data, they made copies of it to use at a later date. The loss of more than 280,000 records represents a catastrophic blow to the credibility of UM's cybersecurity policies, and more importantly, is a threat to every individual whose data was compromised..

        The second breach was perpetrated by an ex-contractor, David Helkowski, who felt UMD did not do enough to increase their cyber defenses after the first attack. During an interview with the Baltimore Sun, Helkowski said he noticed the vulnerabilities months before the initial attack (Dance, 2014). Helkowski gained entrance to UMD server by a backdoor he had warned the university about. At this point he thought he would make an impression on the university’s new cyber security task force so they would grasp the depth of the problem. Helkowski obtained the email addresses of all the security task force members along with the university president’s phone number and social security number off of the server. He sent this information in an email to the members of the task force but also posted it on multiple public websites. (Dance, 2014)

In a lengthy, now-deleted Reddit thread, Helkowski detailed his motivations and methods, as well as information on how the FBI raided his home. He considered himself a whistleblower performing a necessary service to the university, but his actions were still illegal. Because of this, Helkowski lost his job and admitted that this might keep him from holding an IT position ever again (Gallagher, 2014).

Leadership Practices

The fallout from the first attack was the biggest and made the most headlines. It was irresponsible for the university to leave the data someplace so accessible, and reprehensible that the university maintained personal and sensitive data of people who had been not been affiliated with the school for more than two decades. Increased controls on access to the data as well as a more restricted data retention policy could have mitigated the main issues of this attack. Because records were kept for over 23 years, the attack surface was substantial.

Securing data and limiting access to sensitive information are primary jobs of cybersecurity professionals (Guggenberger, 2018). They may be responsible for one main system, or many systems, depending on their personal job scope and the size of the organization they are employed by. With a system as big as the University of Maryland University College, you can assume that there were many different cybersecurity professionals with specific roles within their systems. Unfortunately, breaches do occur, and then this happens it is the job of the cybersecurity professionals to investigate how the hackers infiltrated the system, how much information they had access to, and if anything was changed or altered (Guggenberger, 2018). After this investigation takes place, that information is then used to protect the system further and attempt to prevent another breach.

The head of the team of professionals whose job it was to do all of this was the University of Maryland Chief Information Officer (CIO) Brian Voss. After the breach, Voss claimed what concerned him the most was how sophisticated the attack was; he said there was “no open door”, and that the hackers had to have “pick through several locks to get to this data” (Svitek & Anderson, 2014). Wallace Loh, the president of the University at the time, made a statement saying that with law enforcement officials, the cybersecurity department was doing all they could to investigate how this breach could have occurred and strengthening it’s system to make sure it doesn't happen again (Loh, 2014). Even out of their own mouths, it was the job of these leaders to protect the information of the students and faculty to ensure another breach was impossible, which is what made the Helkowski breach such a shock.

While the second attack did not necessarily leak much data, it showed how neglectful the university had been at plugging the holes in its cybersecurity. Alternately, Helkowski performed his actions only a month after the initial attack. An organization the size of UMD moves slowly regardless of the severity of the crime. Changing policy is easy, enacting that policy is the difficult part, which is also partly responsible for the security holes. At the time of the attack, the university's IT department had a budget of approximately $50 million and a workforce of 419 employees. Any organization that size is going to have difficulty altering its course, no matter what Voss and Loh promised to the students and staff  (Robinson, 2014). This lack of speed is a huge failure on the part of Voss specifically, and the failure spreads beyond the ability to patch the holes that quickly. If Helkowski brought his concerns about the lack in stability of the system to the right people, and they were indeed not dealt with, the failure spreads across the entire department for not listening to the contractors that were hired to remedy the situation.

A crucial skill required of security leaders is that of their response to an incident; rapidly mobilizing both their own and partners’ technical resources to manage incidents and in worst case, recovery. Security leaders should be capable of working collaboratively to ensure all of the whole business can withstand cyber threats, as well as continuously evolving to satisfy the increasingly complex regulatory landscape (Ismail, 2017). This seemed to be leadership that Voss was lacking, and this is what lead him to be without a job a month after the breach.

The Impact of Cybersecurity Roles

The breaches cannot be blamed solely on Brian Voss, but as he is the head of the cybersecurity department for the organization, he did take the brunt of the blow-back. There are many different roles that play a part in every information security department, and they are all equally as important. The more information studied in the UMD data breach, the easier it is to identify that most of these roles performed effectively would have been crucial in the prevention of the loss of all of that personal information. The main two roles that would have prevented the breaches were related to determining potential outside threats and implementing auditing systems for security compliance purposes. These roles seem pretty obvious in regards to cybersecurity, but perhaps they thought their system was so flawless that they failed to return to the basics every now and then to make sure the system couldn’t be compromised.

  The circumstances that allowed this breach to occur were a mix of rapid expansion of different University of Maryland networks and complacency on its cyber security. An audit report of the university’s Division of Information Technology found that the university had not used firewalls to secure all network segments from the Internet and untrusted portions of its internal network (Robinson, 2014). Even in circumstances where firewalls were used, they sometimes allowed insecure and unnecessary connections to critical data center computer resources. The firewalls were not configured to monitor traffic from all untrusted sources. In addition to all of this, the UMD IT department was unable to keep its anti-malware software installed, up to date, and working properly (Robinson, 2014). What can be drawn from this information is that simple tests of their own system to determine the outside risks and from there find ways to better secure it could have likely prevented this attack.

Even if the university had all of the proper controls in place, an attack similar to Helkowski's was only a matter of time. He had access to the network internals and could see more than the normal hacker. In the Baltimore Sun article about the attack, "University officials said Helkowski did not access the data in the same way the larger breach occurred" (Dance, 2014). Therefore, whatever his goals or his findings were, they were largely irrelevant to the case at hand and likely did more harm to the university than he intended. What his attack did do is show them that they could have used their own resources and contractors to better their own system and protect the information of hundreds of thousands of students and faculty.

Conclusions and Recommendations

The biggest problem that the leadership at University of Maryland in this situation had been their lack of communication. It is unclear where the deficiency occurred because we were unable to come across any internal communications. However, it is clear that when this breach occurred leadership was not fully informed of the severity and did not fully comprehend how expansive the vulnerabilities were. This is shown by the original statement that President Loh released which greatly underestimated the amount of people’s data that was compromised. It is also shown by that cyber security task force that was created after the first breach to repair the vulnerabilities in their network was not responding to different concerns. This is shown by the second breach because the perpetrator was an ex-contractor for the university who committed the breach because he thought the university was not responding to the vulnerabilities that he thought he would send a louder message (Svitek & Anderson, 2014)

The main challenges for cybersecurity professionals is to stay up to date in what is going on in the field. As a cybersecurity department, falling behind in the latest technological findings can mean a breach to your system. It is recommended to establish the foundations for the cybersecurity team and enable the professionals to apply modern and sophisticated techniques. This can be done in many ways: implementing the latest and greatest practices and standards in the industry, interacting with others in the industry to learn from each other, encouraging continuing education and training amongst the department, and constantly studying your specific systems and the vulnerabilities and risks that come along with it (Guggenberger, 2018). Had the University of Maryland College Park had leadership that implemented all of the aforementioned strategies, the breaches likely could have been avoided.

For CIOs and CISOs, the message is clear: Someone needs to push the enterprise’s top leadership toward awareness of — and effective responses to — third-party risks. The CIO and CISO are best positioned to advocate for this strategy. From there, the different teams can work together to ensure that an threats to the integrity of the security system cannot penetrate it’s walls- and this can potentially be tested by contracted hackers seeing if they are able to do just that. It seems as though hiring someone with the skills of Helkowski to attempt to hack in to the system and from that hack determine the flaws could have prevented both breaches, and saved all of that copied personal information from making it into the wrong hands.

Overall, organizations and their IT networks are interconnected to a degree that makes security a shared responsibility. It is important that major companies and universities hire a capable CIO to lead and encourage, especially as we dive further into an era where technology is such a vital part of our lives. A positive tone at the top can help organizations avoid working with untrustworthy third parties and build the ethical partner relationships in which responsibility for cybersecurity leadership is shared, productive and effective.

Authors:

Emily Parrish

Phillip Kidd

Cleber Visconti

Jonathan Batselos

Eric Evans

Date: March 13 2018

UMUC Cybersecurity Management & Policy MsC

References

Dance, S. (2014, 04 09). Former contract worker at UM says he accessed data to reveal problems. Retrieved from The Baltimore Sun: https://www.baltimoresun.com/news/maryland/education/bs-md-data-breach-suspect-20140409-story.html

Gallagher, S. (2014, 06 05). In his words: How a whitehat hacked a university and became an FBI target. Retrieved from arstechnica: https://arstechnica.com/information-technology/2014/05/why-he-hacked-university-of-maryland-contractor-turned-hacker-tells-all/3/

Guggenberger, B. (2018, March 12). Cybersecurity Field Overview . Reading.

Ismail, N. (2017, 09 7). Cyber security – the unrelenting challenge for leadership. Retrieved from information age: https://www.information-age.com/cyber-security-unrelenting-challenge-leadership-123468401/

Loh, W. D. (2016, February 19). Data Breach. Retrieved March 12, 2018, from https://www.president.umd.edu/communications/statements/data-breach

Organization List. (n.d.). Retrieved March 12, 2018, from https://content.umuc.edu/file/e8432068-18b9-4b82-a443-25406949030d/1/Organization%20List.html

Pham, T. (2014, October 20). Stolen Administrator Credentials Led to Breach of University Systems. Retrieved March 12, 2018, from https://duo.com/blog/stolen-administrator-credentials-lead-to-breach-of-university-systems

Ponemon Institute LLC. (2016). Tone at the Top and Third Party Risk. Ponemon Institute and Shared Assessments. Retrieved from SCMagazine.

Robinson, R. M. (2016, 12 27). A User’s Guide to Cybersecurity Leadership. Retrieved from SecurityIntelligence: https://securityintelligence.com/a-users-guide-to-cybersecurity-leadership/

Robinson, T (2014, 12 11). Audit shows University of Maryland security flaws remain.

Retrieved from SC Media:

https://www.scmagazine.com/the-university-is-still-vulnerable-to-attack/article/539620/

Svitek, P., & Anderson, N. (2014, 02 19). University of Maryland computer security breach exposes 300,000 records. Retrieved from The Washington Post: https://www.washingtonpost.com/local/college-park-shady-grove-campuses-affected-by-university-of-maryland-security-breach/2014/02/19/ce438108-99bd-11e3-80ac-63a8ba7f7942_story.html?utm_term=.778abd5f613c