The views and opinions expressed in this blog do not necessarily reflect the views and opinions of SecureIQLab, but probably dovetail nicely with the views and opinions of the majority of cybersecurity professionals.

This is painful to write. The monumental ignorance demonstrated by the manner in which the University of Oregon handled a recent cybersecurity incident has left many cybersecurity experts with concussions caused by banging their heads against walls and tables in disbelief (invest in aspirin).

It all started with a failure to secure sensitive information and ended with a staff so embarrassed by the security gaffe that they punished the good guy for privately reporting a serious problem.

For those of you who do not subscribe to the Oregonian, the story is also reported here.

Here’s the short synopsis. 

University of Oregon Dean Dianne Tanjuaquio, per policy, responded to the responsible disclosure of a security lapse by punishing the good guy.

If you’re a cybercriminal you just have to love that policy-based cyberignorance. 

Recently, now former University of Oregon physics major, Owen Mitchem discovered an extremely serious cybersecurity flaw in a university system that provided access to confidential information that included the social security numbers of thousands of public university employees around the state of Oregon.  Not only did Mitchem responsibly report the issue once, but he followed up to make sure that  the document had been removed. It hadn’t, and so he responsibly reported it again. 

Upon realizing that a potential data breach involving 3,500 security numbers had been responsibly reported, Dean Tanjuaquio royally screwed the pooch… she punished the messenger. Granted, Dean  Tanjuaquio rightly, or wrongly believed that policy had been violated, however if policy prevents or punishes the responsible reporting of a serious problem, then your policy is FUBAR. 

But it gets worse. If Dean Tanjuaquio had simply thanked Mitchem for reporting the problem and said “please don’t do that again,” she could have prevented even worse damage. “Please don’t do it again” would have only been relatively mild ignorance. By taking extremely inappropriate action, she created a public news story. What does that mean? That means that the University of Oregon is likely to further draw attention from cybercriminals. Knowing that such a lapse of security existed, and that the good guys are punished for responsible disclosure, makes the university a juicy target. The cybercriminals realize that sensitive information is not encrypted and that access to it requires no hacking skills. 

I’m pretty sure that when a major breach occurs in the future and the university is being sued, a lawyer will rightfully argue gross negligence. The university has created a culture that punishes good faith attempts to alert faculty of serious security issues. The university has created a culture of insecurity.

I was recently at the airport when a common TSA announcement was made. The words were “Security is everybody’s business. Contrast that with the University of Oregon whose motto is “Security is none of your damned business.”

When I see issues like unencrypted sensitive information being left wide open, I assume there are even more egregious security issues; the types of issues that allow for network penetration and lateral movement. Yes, Dean Tanjuaquio’s ill-advised response may very well result in further security woes for the University of Oregon, and perhaps many other public education institutions. The news story did not detail what information was accessible beyond the social security numbers. It could be worse than we know, but we do know this. The University of Oregon, as well as many other educational institutions are supply chain to both private industry and the federal government. The weakest link is always a great place to start when you want to exploit the supply chain. In this case the weakest link is a broken link called the University of Oregon. 

The cybercriminals already know that universities are supply chain and perform  important and sometimes classified research. It was only recently that the University of Oregon revealed their active suppression of responsible disclosure and the reporting of serious security lapses. Basically, the cybercriminals are walking into a neighborhood that has a neighborhood watch program, but reporting suspicious activity gets you kicked out of the neighborhood. 

But the University may not be quite done dissembling their security. They are reportedly rewriting policy as a in a manner that may fundamentally say it’s more important not to be embarrassed than to protect sensitive data.

So, now that the university has built their Maginot Line, what should they do to disassemble it? France learned a very long time ago that it isn’t good when a hostile foreign power disassembles your Maginot Line for you. The answer involves at multiple angles. The university must send an explicit and forceful  message to the cybercriminals indicating that the reporting of security issues taken seriously, accepted and appreciated. This will be accomplished by an announcement conspicuous enough to be seen from the international space station stating that the responsible reporting of security issues is appreciated and required. The announcement will state in no uncertain terms that there will be zero-tolerance for retribution when a good faith report is made that involves security problems. Currently the University has all but screamed that if you want to report a security problem without being retaliated against, report it to a cybercriminal. At least a cybercriminal will express sincere appreciation.

Right now a very contrite public apology to Mitchem, with the unambiguous assertion that responsible reporting is to be rewarded, and that retribution is grounds for terminating employment is required.  

Continuing, some serious education is required by executive staff. Dean Tanjuaquio and other stakeholders supporting the Dean’s actions need to take some ethical hacking courses to get a bit better understanding of the landscape. They don’t need to learn to be hackers, they need exposure to what ethical hacking and responsible disclosure is all about. A good start would be with the EC Counsel’s coursework https://www.eccouncil.org/train-certify/certified-ethical-hacker-ceh-v13-north-america/. The University’s legal team would probably benefit from this education as well.

Just as Dean Tanjuaquio tried to coerce Mitchem to write a useless 750 word essay reflecting on the situation, Dean Tanjuaquio, upon completion of the course, should write a 3,000 word essay reflecting upon the nature of ethical hacking, responsible disclosure, and how to appropriately respond to attempts to improve security. Perhaps I’ll write Mr. Mitchem’s essay and hope I don’t get expelled  from a school that I don’t attend. Stranger things have happened.

Finally, the applicable policies should be reviewed by a panel of cybersecurity professionals who are not related to the university. Yes, the teachers in the University of Oregon’s cybersecurity program are probably well qualified to teach what is required, but sometimes people are more likely to listen to an outside “expert” regardless of quality.

Cybersecurity is hard enough without people taking ignorant pot shots at the messenger.

I invite The University of Oregon to abandon their cybercriminal buddies and join the fight against Cybercrime.

Randy Abrams

Senior Security Analyst Emeritus

The post Cyber Criminals Have A New Best Friend – The University of Oregon appeared first on SecureIQ Lab.

*** This is a Security Bloggers Network syndicated blog from SecureIQ Lab authored by Randy Abrams. Read the original post at: https://secureiqlab.com/university_of_oregon_cybersecurity/