1. Today’s Event Thursday, August 14, 2003 1:00-2:00pm EDT “Managing Security Incidents” with Gordon Wishon Chief Information Officer and Associate Vice President University of Notre Dame and Dan Updegrove Vice President for Information Technology The University of Texas at Austin

2. 2 Ultratime Server Compromise Monitoring system reported Windows NT IIS Version 4 Webserver failure to respond Administrator investigation discovered large warez files, active ftp daemon, password harvesting System disconnected from network, forensics investigation initiated Evidence of Nimda, other viruses discovered Compromised system hosted ‘UltraTime’ application, ancillary to payroll system, used to track hourly employees’ timecard entries

3. 3 Ultratime Server Compromise Presence of sensitive personal information (including SSN, salary info) on server raised immediate concerns about potential for compromise, subsequent identity theft, and integrity of payroll source data > 8400 active employees > 5000 inactive employees > Archived records dating back to 1995 However, no direct evidence of compromise (thorough forensics investigation by internal security staff and independent security consultant -- no evidence of file browsing or downloading), also positive payroll audit outcome

4. 4 Ultratime Server Compromise Ethical Question: Without definitive evidence of compromise, should affected users be notified? Mitigating against disclosure > Raising unnecessary concerns > Subjecting university to potential civil liability from claims of complicity > Potential damage to reputation as trustworthy stewards Mitigating for disclosure > Potential damage to reputation as trustworthy stewards > Potential for real damage to employees

5. 5 Ultratime Server Compromise Decision: Disclose > Targeted message (personal letter) to all active employees affected > General message to campus with advice re: identity theft (www.consumer.gov/idtheft/)www.consumer.gov/idtheft/

6. 6 UT Austin SSN Data Theft Chronology Sun, Mar 2, 720 pm: initial observation of high- volume database access from off-campus Mar 3: law enforcement contacted Mar 4: Evidence points to UT student Mar 5: Two residences searched Mar 6: Austin American-Statesman breaks story; UT datatheft website deployedUT datatheft website Mar 14: UT student charged Aug 14: Case unresolved…

7. 7 UT Austin SSN: What Happened? An insecure interface to a UT mainframe database provided access to over 1 million records Program was written to input 2.6 million SSNs against this interface. Of these, ~ 50,000 matched, disclosing names of current/former students, faculty, staff, admission & job applicants, library patrons, current & former faculty & staff at UT Austin & other UT campuses No evidence that SSNs & names disseminated or misused ~ but impossible to “prove a negative” UT has attempted to contact all individuals affected

8. 8 UT Austin SSN: Communications https://www.utexas.edu/datatheft/ –UT’s public statement –Links to US Attorney statements –Link to email: over 2,000 –Link to data form: over 6,500 –Toll-free hotline: over 3,000 –Two email msgs to these groups U.S. mail to all for whom UT has good addresses Confusion, concern re “data theft” vs. “identity theft” Total costs of incident exceed $120,000

9. 9 UT SSN: Security Issues, Aftermath Highlights risk of SSN as University ID –UT Austin Cmte had been addressing this issue –Faculty posting of grades a long-standing concern Web front-ends remove “security by obscurity” Downside of integrated database All UT System (15 campuses) central & mission- critical applications will be reviewed UT System has launched a Security Advisory Cmte and a SSN Task Force

10. 10 Assembling the Crisis Team How do you know when it’s time?How do you know when it’s time? Who calls the first meeting?Who calls the first meeting? Who attends?Who attends? What next?What next? How to coordinate?How to coordinate? Other advice?Other advice? How do you know when it’s time?How do you know when it’s time? Who calls the first meeting?Who calls the first meeting? Who attends?Who attends? What next?What next? How to coordinate?How to coordinate? Other advice?Other advice?

11. 11 Legal Issues Dealing with institution’s own counselDealing with institution’s own counsel Dealing with on-campus policeDealing with on-campus police Dealing with off-campus police, FBI, etc.Dealing with off-campus police, FBI, etc. Preserving evidence vs minimizing damagePreserving evidence vs minimizing damage What to do/say to avoid increased exposureWhat to do/say to avoid increased exposure Other legal issues?Other legal issues? Dealing with institution’s own counselDealing with institution’s own counsel Dealing with on-campus policeDealing with on-campus police Dealing with off-campus police, FBI, etc.Dealing with off-campus police, FBI, etc. Preserving evidence vs minimizing damagePreserving evidence vs minimizing damage What to do/say to avoid increased exposureWhat to do/say to avoid increased exposure Other legal issues?Other legal issues?

12. 12 The Press Official statementsOfficial statements When?When? By whom?By whom? To whom?To whom? Press conference?Press conference? Resources and challengesResources and challenges On-campus press officeOn-campus press office Student paperStudent paper National pressNational press The WebThe Web Pluses and minusesPluses and minuses Official statementsOfficial statements When?When? By whom?By whom? To whom?To whom? Press conference?Press conference? Resources and challengesResources and challenges On-campus press officeOn-campus press office Student paperStudent paper National pressNational press The WebThe Web Pluses and minusesPluses and minuses

13. 13 Final Thoughts Best decisionBest decision Worst decisionWorst decision Lessons learnedLessons learned Changes deployedChanges deployed Single piece of adviceSingle piece of advice Best decisionBest decision Worst decisionWorst decision Lessons learnedLessons learned Changes deployedChanges deployed Single piece of adviceSingle piece of advice