Editor's Note: While reports of university network hacking are becoming more prevalent, the reality is not always what it seems. In the past year, a number of schools have determined that hacker-related incidents they thought had happened in fact had not. What follows is one such incident, a cautionary tale that ultimately saved untold time and expense. The names, as they say, have been changed to protect the innocent.
WHEN THE NEWS CAME from the IT team to the university's general counsel, it was devastating. A computer worm had been identified in one of the university's financial servers, and apparently the worm had discovered more than a quarter million credit card records. Even worse, the team had determined that the records were not encrypted, despite the claims made by the software vendor.
As a major university with students from almost every state, the university understood that the potential cost of issuing notifications under 40 different data loss notification laws and providing basic remediation services could easily (and almost immediately) exceed $1 million.
But rather than panic, university officials had a plan. With wisdom gleaned from earlier incidents, they understood that fast, sure-footed action was needed and knew that a number of organizations would have to be involved.
Within hours of learning of the incident, a conference call was convened, chaired by the general counsel (who was involved in order to deal with the complicated reporting laws, as well as potential individual or class-action litigation). The call included senior management, the CFO's representative, several IT representatives, and the university's public relations team. The group then reached out to computer forensic specialists to serve as an independent source of technical assistance and, if needed, to provide support for the university's remediation efforts.
The cost of issuing data loss notifications and providing remediation services could easily exceed $1 million.
A computer forensic investigation was launched immediately to determine, based on objective evidence, exactly what had happened and to understand why unencrypted credit card data was on the server. At the same time, a task group began to plan how to carry out notification rapidly and effectively, should it be required
THE FORENSIC ANALYSIS
The technical investigation involved working closely with the university's technical staff to gather the evidence from various machines. The key was to gather the data in a forensically sound way. That is, the procedures used to collect the various files, logs, and so on, had to be done in a way that could permit the data to be entered into evidence in any future court proceedings. If forensic accuracy were lost or a chain of custody broken, the evidence needed to defend the university's interests could be rendered useless.
Some of the data collection was done by the university's IT staff . For other particularly sensitive data, the original hard drives were sent to one of our laboratories for analysis, allowing day-to-day processing to continue on a backup server.
Information collected included the contents of the fi le server, which housed financial data, as well as internet, proxy, and other log fi les. Because of the type of routers and network infrastructure in place, investigators were also able to capture what is called "Netflow" data, which documented very detailed internal systems processes.
Once the data reached the computer forensic lab, engineers started piecing it all together and time-correlating the data on the various logs. Within hours, the forensic engineering team observed a pattern emerging, a pattern which determined the following:
- The worm entered the system when someone using the financial system used it to run a web browser and surf to a website that had an infected page. Accessing the page allowed the worm to download.
- The worm exploited a security weakness that had not been fixed with a security patch that was, in fact, readily available.
- Once the worm activated within the server, it sought and found what it thought were credit card records.
- The software in use by the university did, in fact, encrypt the credit card data on the main fi les, but it also maintained an unencrypted copy (unbeknownst to users of the system). Unfortunately, instead of being kept for a limited period of time, the copy had every credit card transaction going back for years.
