Exposing Network Vulnerabilities
If you're hesitant to get an outside assessment of your security setup because of what it might uncover, the case of Meredith College proves that all it takes is finding the right partner for the job.
- By Dian Schaffhauser
When Jeff Howlett joined Meredith College as CIO two years ago, some of the institution's security practices reminded him of his days at the Pentagon. "It was restrictive," he said. "But it was restrictive for a very good reason." Meredith had to limit what the end users could do technically because its equipment was out of date, and simple requests had to be turned down because of the security risks they posed.
At the same time, other security measures were totally lacking at the small, private college in Raleigh, NC. Staff stored data locally to external hard drives, since there wasn't a network storage location. There was no Active Directory or other LDAP in place to maintain a central directory of user rights and roles. "Everyone logged onto the local workstation and they were administrators of their machines," Howlett recalled.
Security--along with other aspects of the networking infrastructure--had gone through what Howlett calls a "dry spell."
"Our networking and systems staff knew what was needed to be done," he said. "But I don't think the overall understanding was there [among college administrators] about how deep a threat [the inadequacies] were to the future of the college."
His arrival to the college came with marching orders: to move the college's use of technology "into the future." Howlett sat down with his senior IT staff to develop an in-house technology plan. On the security front, this included two projects:
- Pulling data off local workstations and putting it into a secure centralized storage location; and
- Putting encryption on all machines, "so no one could walk into an office and walk off with a PC containing secure data."
It just so happened that as that latter effort was being rolled out, a thief at Georgetown University stole an external hard drive containing the Social Security numbers of 38,000 students, faculty, and staff from a locked room in the Office of Student Affairs. "So all of a sudden the pushback that I was getting disappeared," Howlett said. "People were excited to get encryption on their machines."
Finding the Vulnerabilities
At the same time, the college was undergoing an audit that also encompassed examining the security of its financial applications and policies. The audit firm recommended the hiring of an information security consulting firm located in Research Triangle Park outside of Durham to handle the IT part of the audit.
But as part of his due diligence, Howlett also contacted other companies he'd worked with previously in the metro Washington, DC area, as well as another firm that the college had used in the past. He did phone meetings, then whittled the list down to two contenders, both of which came onto campus for face-to-face meetings. After doing reference checks, Howlett signed with the auditor's recommendation, and more specifically with Michael Menefee, one of firm's founders.
After an initial audit to the specs set by the college auditors, which impressed Howlett, Meredith expanded the job to include a full security audit. That included penetration testing, audits of internal security, the wireless network, password practices, physical security, and, of course, plenty of social engineering.
"We're an all-women's college," Howlett pointed out. "So [Menefee] was on campus trying to gain access to our dorm. Men aren't allowed [in] the dorms. He'd stand by a door trying to get students to let him in."
Menefee went into one of the executive offices on campus and asked the administrative person if he could charge his laptop because he couldn't find any power receptacles in the hall. "She said, 'Sure,'" Howlett recalled. "He sat in the office. They didn't know who he was. He was just a man in a suit with a laptop." Menefee's goal: to find out if somebody would walk away from his or her computer without logging off so that he could slip onto it.
For about two weeks, Menefee and his team tried to hack into the network from outside. They'd make calls to the help desk, posing as students, to see if they could persuade somebody to reset a password. Menefee also had one other advantage: His wife was a Meredith graduate. "He knew Meredith enough where he could answer questions easily," explained Howlett.
At the end of the audit, the security company submitted a report that Howlett presented to the senior management team. "It broke down the technical aspects and put them in layman's terms," he said. "It explained what threats were there, suggested ways to solve the threats, laid out what we were doing right, said what we could be doing better." The result: Howlett's IT team was given the funding it needed to fix the problems and the OK to make changes in its IT infrastructure budget model.
Among the problems identified: Meredith had weak passwords. IMail, the college's e-mail server, "was chosen more for its budget cost impact than for its features," Howlett said. "It did not have an option for a complex secure password." In 2009 Meredith began the move to the Zimbra Collaboration Suite, a Web-based mail system that includes a shared calendar, shared document storage, task list, and other features, including the ability for administrators to mandate complex passwords.
Also, the college lacked a replacement cycle for network hardware. "When there was money, it was upgraded," he said. "That's when security problems grow--when the manufacturer is no longer patching the older equipment. We went ahead and replaced 60 percent of our network switches. They were working beautifully. They just did not have the advanced security."
Although server software was kept fairly current, the hardware was old, which meant, according to Howlett, "The performance wasn't there. We moved to a virtualized system, which got us out of old equipment and into more manageable, more scalable equipment."
"The budget bump that we got was to not just fix security, but to work smarter," Howlett said. "And to be able to manage what we had better, which would free up time for other more important duties." Administrative support and the restructuring of the IT budget came none too soon. The college's usual infusion of 400 new freshmen students was actually closer to 480 in fall 2009.
In January 2009, Menefee left the former company and opened WireHead Security, which Howlett has put on retainer. "We followed [Menefee] based on his personal abilities," he explained.
Now Menefee's services go beyond just security. For example, Howlett's team was shopping for a new help desk application. The vendor was specifying all the changes that would need to be made to the college's network and firewall. "I made a call to [Menefee], and he came in and sat at the discussion table as if he were a Meredith employee," Howlett said. "He was representing us and could go one step further and work out the issues we were having. The vendor got everything they needed. But he advised and showed them a way to do it in a more secure manner."
When a key technical staff member went on vacation, Howlett called WireHead and asked the company to be on standby in case equipment went down or a network problem surfaced.
The expense of the retainer relationship is a simple business decision, Howlett said. "I'm in Raleigh, which is part of the [Research Triangle Park] (RTP). There are certain skills sets that are priced out of the norm compared to the rest of the United States. Information security is one of them. For us to compete with top-name companies at RTP, we'd have to pay a salary that doesn't match education salaries. The outsourcing of that type of position makes much more fiscal sense than to hire a position."
Howlett said he also expects the security firm to return annually for full security audits and when major changes are being made to the network. "[We'll call] WireHead up and say, 'Can you do an external penetration test to make sure the new firewall is doing what we think it's doing?' They'll come back and say, 'Yes, we do not see any vulnerabilities.'"
Concluded Howlett: "The more outside eyes you can get on your network--that are looking to help you rather than infiltrate you--I see as money well spent. It's to the point where the security and operations of our [institution] are made stronger by the partnership."