What Security Experts Can Learn From The Illinois State University Hack
The Illinois State University hack took place in the beginning of March, as reported by Illinois’ own Pantagraph, The Washington Times, and other publications. Direct-deposit payroll information from at least a dozen faculty and staff were diverted to a different account, totaling about $50,000 in lost payments.
The affected employees received their payments and ISU is working with the FBI and the Illinois State Police to investigate the matter.
A look into ISU’s Security Scorecard and the incident provided insight into how the institution’s data might have been compromised. Learning from the Illinois State University hack can help you shore up potential weaknesses in your network security.
Update your SSL Certificates
ISU received an ‘F’ in our Security Scorecard ranking for Network Security. Our research revealed that among the ilstu.edu and illinoisstate.edu domains, 58 IP addresses were marked as using RC4 encryption, which has been deemed insecure by major internet browser providers such as Microsoft, Google, and Mozilla.
Using RC4 encryption wasn’t the only example of outdated cybersecurity methods in place for the University. There were a number of IP addresses that used older cryptographic hash algorithms such as SHA-1 or MD5 for SSL certification when the newer SHA-2 is known to be the safest signature. Worse still, 9 expired SSL certificates were found and several SSL certificates were self-signed. All of these factors combined made the Illinois State university hack a possibility for the perpetrators.
It’s important to keep your encryption methods and signatures up to date. Schedule regular checks to make sure you’re maintaining the integrity of your certificates. This will not only prevent future vulnerabilities but might alert you to any strange indicators that may expose potential security risks.
If you’re unsure about the status of your SSL certificates or need help migrating them from SHA-1 to SHA-2, Symantec has some published some resources to help. For more information, Google and Mozilla have published blog posts detailing SHA-1 migration.
Employ a Frequent Patching Cadence
As part of our Security Scorecard ranking, we look at patching cadence, which ranks the rate at which companies apply patches and update software, products, and services. ISU received a ‘D’ ranking for taking over 350 days to patch two high severity CVE(s), over 200 days to patch two low-severity CVE(s), and using a Microsoft product that has been declared end of service (EOS) for some time. EOS products can be most vulnerable as the developers no longer support the product, leaving it especially exposed to hackers. Further research detected an extensive vulnerability to CVE(s) due to the oversight.
A slow patching cadence is a clear message that priority on cybersecurity may not be as high. As more time delays between patching, the window of opportunity for hackers becomes larger and they know to target companies that are less likely to patch quickly. While ISU’s Hacker Chatter score received an ‘A’, it’s easy for word of a slow patching cadence to spread across the deep web. Reference CVE lists to ensure your network is updated and secure. Mitre offers a free newsletter that updates its readers on CVE lists and compatibility features.
Check Your Open Ports
Lastly, a factor that may have led to the Illinois State University hack was the large number of open ports on the University’s network, including POP3, IMAP, MySQL Database Ports, and FTP Data Ports. Open ports are useful when a large number of users need to get onto an organization’s network, a valid concession for a university. However, for much smaller organizations, having an IP whitelist is one of the safest ways to ensure there is no unwanted access to your ports. Ensuring every open port is absolutely necessary is another helpful process in maintaining network security.
For more information on the state of university cybersecurity, check out our 2015 Higher Education Security Report.