The Arizona Office of the Auditor General finds plenty of holes
Technorati Tag: Security Breach
Date Reported:
6/19/08
Organization:
The Arizona Board of Regents
Contractor/Consultant/Branch:
Arizona State University
University of Arizona
Northern Arizona University
Victims:
Students, faculty and staff
Number Affected:
"more than 10,000"
Types of Data:
Names, Social Security numbers, student identification numbers, addresses, phone numbers, e-mail addresses and user accounts
Breach Description:
"The Office of the Auditor General has conducted a performance audit of information technology security at Arizona State University (ASU), the University of Arizona (UA), and Northern Arizona University (NAU) pursuant to Arizona Revised Statutes (A.R.S.) §41-2958." "ASU’s, UA’s, and NAU's Web-based applications are vulnerable. Auditors were able to gain unauthorized access to sensitive information, such as social security numbers, and could have modified or deleted important university information."
Reference URL:
Arizona Office of the Auditor General's report titled "Arizona’s Universities—Information Technology Security"
The Arizona Daily Star
Report Credit:
Arizona Office of the Auditor General
Response:
From the online sources cited above:
The Office of the Auditor General has conducted a performance audit of information technology security at Arizona State University (ASU), the University of Arizona (UA), and Northern Arizona University (NAU) pursuant to Arizona Revised Statutes (A.R.S.)
§41-2958.
Information technology (IT) security practices are important for Arizona's universities to protect large amounts of sensitive and confidential information that are stored on their computer systems, including information for more than 122,000 students and nearly 25,000 faculty and staff.
Universities in general are attractive targets for computer hackers because universities traditionally have a strong culture of academic freedom that values open access to information and a free exchange of ideas.
University IT security problems are occurring more often through weaknesses in computer programs called Web-based applications.
The Arizona universities combined use at least 205 significant Web-based applications for educational and administrative purposes, such as curriculum and course management, documenting personal information for admissions and financial aid, and processing financial, payroll, and other transactions, such as purchasing parking permits.
ASU’s, UA’s, and NAU's Web-based applications are vulnerable.
Auditors were able to gain unauthorized access to sensitive information, such as social security numbers, and could have modified or deleted important university information.
Auditors were able to gain this access by exploiting some critical and commonly found weaknesses that exist in many of the universities' Web-based applications.
Security weaknesses in one Web-based application allowed auditors to access a database and obtain more than 10,000 records with names and social security numbers.
Auditors also obtained other records that contained student identification numbers, addresses, phone numbers, and e-mail addresses.
Auditors also had the ability to modify and delete this information.
In two other applications, auditors were able to exploit a security weakness that would have allowed them to take over a large number of user accounts, including accounts with high-level access.
In many applications, auditors discovered a security flaw that would allow an attacker to take over user accounts and install malicious software.
Auditors did not attempt to identify every flaw that may exist because the testing was designed to determine what the impact could be if certain identified vulnerabilities were successfully exploited.
To better protect the information processed through their Web-based applications,
ASU, UA, and NAU need to:
All three Arizona universities have taken some key steps toward developing an overall
IT security approach; however, additional work is needed.
Creating information security staffs--Over the past few years, ASU, UA, and NAU have established and filled information security officer (ISO) positions and made these ISOs responsible for information security efforts university-wide. Until the ISOs were hired, the universities have not had any staff whose sole responsibility included directing and coordinating all aspects of information security across the university.
[Evan] Typically, this position is more effective if it reports directly to an executive such as CEO, President, etc. Information security is not an IT problem, and often times there is a conflict of interest if an ISO reports up through the IT organization.
Developing information security programs--The universities are at varying stages in developing formal programs to guide their information security efforts, but none have yet developed all the standards or procedures needed to support a complete information security program. The universities are in the beginning stages of implementing their information security programs, in part because the ISO positions are relatively new.
[Evan] The report goes on to address specific findings and recommendations for all three of the schools. In my opinion, the report is very well-written and definitely worth your reading time!
Commentary:
I didn't provide much commentary on the Auditor General's report because it really speaks for itself. It was a good read (for a security guy anyway). Kudos to the Arizona legislature for funding the audit, Kudos to the Auditor General on the findings, the report, and the excellent recommendations, and Kudos to the schools for their agreements and plans for improvement. I feel a little giddy and I'm not really sure why.
Is anyone planning to notify the people whose information was found to be vulnerable to attack and exploit? I would be surprised if the auditors were the first to find these chinks in the armor.
I highly recommend reading the report.
Past Breaches:
Unknown
Date Reported:6/19/08
Organization:
The Arizona Board of Regents
Contractor/Consultant/Branch:
Arizona State University
University of Arizona
Northern Arizona University
Victims:
Students, faculty and staff
Number Affected:
"more than 10,000"
Types of Data:
Names, Social Security numbers, student identification numbers, addresses, phone numbers, e-mail addresses and user accounts
Breach Description:
"The Office of the Auditor General has conducted a performance audit of information technology security at Arizona State University (ASU), the University of Arizona (UA), and Northern Arizona University (NAU) pursuant to Arizona Revised Statutes (A.R.S.) §41-2958." "ASU’s, UA’s, and NAU's Web-based applications are vulnerable. Auditors were able to gain unauthorized access to sensitive information, such as social security numbers, and could have modified or deleted important university information."
Reference URL:
Arizona Office of the Auditor General's report titled "Arizona’s Universities—Information Technology Security"
The Arizona Daily Star
Report Credit:
Arizona Office of the Auditor General
Response:
From the online sources cited above:
The Office of the Auditor General has conducted a performance audit of information technology security at Arizona State University (ASU), the University of Arizona (UA), and Northern Arizona University (NAU) pursuant to Arizona Revised Statutes (A.R.S.)
§41-2958.
Information technology (IT) security practices are important for Arizona's universities to protect large amounts of sensitive and confidential information that are stored on their computer systems, including information for more than 122,000 students and nearly 25,000 faculty and staff.
Universities in general are attractive targets for computer hackers because universities traditionally have a strong culture of academic freedom that values open access to information and a free exchange of ideas.
University IT security problems are occurring more often through weaknesses in computer programs called Web-based applications.
The Arizona universities combined use at least 205 significant Web-based applications for educational and administrative purposes, such as curriculum and course management, documenting personal information for admissions and financial aid, and processing financial, payroll, and other transactions, such as purchasing parking permits.
ASU’s, UA’s, and NAU's Web-based applications are vulnerable.
Auditors were able to gain unauthorized access to sensitive information, such as social security numbers, and could have modified or deleted important university information.
Auditors were able to gain this access by exploiting some critical and commonly found weaknesses that exist in many of the universities' Web-based applications.
Security weaknesses in one Web-based application allowed auditors to access a database and obtain more than 10,000 records with names and social security numbers.
Auditors also obtained other records that contained student identification numbers, addresses, phone numbers, and e-mail addresses.
Auditors also had the ability to modify and delete this information.
In two other applications, auditors were able to exploit a security weakness that would have allowed them to take over a large number of user accounts, including accounts with high-level access.
In many applications, auditors discovered a security flaw that would allow an attacker to take over user accounts and install malicious software.
Auditors did not attempt to identify every flaw that may exist because the testing was designed to determine what the impact could be if certain identified vulnerabilities were successfully exploited.
To better protect the information processed through their Web-based applications,
ASU, UA, and NAU need to:
- Conduct regular security assessments of Web-based applications. The universities first need to determine how many Web-based applications they have and then make provisions to regularly update their lists of applications. They then need to develop and implement procedures for regularly conducting security reviews of their critical Web-based applications.
- Develop a university-wide policy and associated procedures for updating Web servers, which are computers that host Web-based applications. Software vulnerabilities are constantly being discovered and publicized, and the universities need to develop or enhance: (1) procedures for identifying vulnerabilities relevant to their Web servers, (2) a timeline for reacting to notifications of newly discovered Web server vulnerabilities, and (3) a process for determining whether to apply a software update, establish another control to address the Web server vulnerability, or accept the risk of not updating the software.
- Ensure that security is built into the process for developing Web-based applications. According to ASU, UA, and NAU officials, none of them have university-wide security standards for developing applications. According to an IT best practice, building security into the development process is more cost-effective and secure than applying it afterwards.
- Provide training to application developers so that they are aware of common Web-based application vulnerabilities and methodologies that can be used to avoid them. None of the universities have a training program that is mandatory for all users and geared toward an individual's role within the university.
All three Arizona universities have taken some key steps toward developing an overall
IT security approach; however, additional work is needed.
Creating information security staffs--Over the past few years, ASU, UA, and NAU have established and filled information security officer (ISO) positions and made these ISOs responsible for information security efforts university-wide. Until the ISOs were hired, the universities have not had any staff whose sole responsibility included directing and coordinating all aspects of information security across the university.
[Evan] Typically, this position is more effective if it reports directly to an executive such as CEO, President, etc. Information security is not an IT problem, and often times there is a conflict of interest if an ISO reports up through the IT organization.
Developing information security programs--The universities are at varying stages in developing formal programs to guide their information security efforts, but none have yet developed all the standards or procedures needed to support a complete information security program. The universities are in the beginning stages of implementing their information security programs, in part because the ISO positions are relatively new.
[Evan] The report goes on to address specific findings and recommendations for all three of the schools. In my opinion, the report is very well-written and definitely worth your reading time!
Commentary:
I didn't provide much commentary on the Auditor General's report because it really speaks for itself. It was a good read (for a security guy anyway). Kudos to the Arizona legislature for funding the audit, Kudos to the Auditor General on the findings, the report, and the excellent recommendations, and Kudos to the schools for their agreements and plans for improvement. I feel a little giddy and I'm not really sure why.
Is anyone planning to notify the people whose information was found to be vulnerable to attack and exploit? I would be surprised if the auditors were the first to find these chinks in the armor.
I highly recommend reading the report.
Past Breaches:
Unknown
Posted by Evan Francen at 6/23/2008 12:19 PM 
Categories: Arizona State University, Northern Arizona University, Hack, Arizona Board of Regents, University of Arizona
Categories: Arizona State University, Northern Arizona University, Hack, Arizona Board of Regents, University of Arizona
Posts Atom 1.0
Comments