university of nebraska 2012 breach (264294032)
TRANSCRIPT
![Page 1: University of Nebraska 2012 Breach (264294032)](https://reader034.vdocuments.us/reader034/viewer/2022052608/577cb5941a28aba7118d3a0c/html5/thumbnails/1.jpg)
8/9/2019 University of Nebraska 2012 Breach (264294032)
http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 1/45
Chris Cashmere, University of NebraskaCentral Administration
Dan Buser, University of Nebraska at Lincoln
1
University of Nebraska 2012
Breach
![Page 2: University of Nebraska 2012 Breach (264294032)](https://reader034.vdocuments.us/reader034/viewer/2022052608/577cb5941a28aba7118d3a0c/html5/thumbnails/2.jpg)
8/9/2019 University of Nebraska 2012 Breach (264294032)
http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 2/45
n !ay 2012 the University of Nebraska e"#erienced one ofthe lar$est breaches in hi$her education
t took months to %$ure out e"actly &hat ha##ened
t took years to %nally come to some&hat of a conclusion
t cost the University hundreds of thousands of dollarst &as investi$ated by the 'B and D() *De#artment of)ducation+
he attacker &as cau$ht and #rosecuted by the U-Attorney
2
(vervie&
![Page 3: University of Nebraska 2012 Breach (264294032)](https://reader034.vdocuments.us/reader034/viewer/2022052608/577cb5941a28aba7118d3a0c/html5/thumbnails/3.jpg)
8/9/2019 University of Nebraska 2012 Breach (264294032)
http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 3/45
oday.s A$enda
/
e &ill cover ust a fraction of &hatha##ened
e &ill um# around ust coverin$the hi$hli$hts
-ome technical details
ublic res#onse and communication
m#act and costs
Le$al stu3 Lessons learned and takea&ays
![Page 4: University of Nebraska 2012 Breach (264294032)](https://reader034.vdocuments.us/reader034/viewer/2022052608/577cb5941a28aba7118d3a0c/html5/thumbnails/4.jpg)
8/9/2019 University of Nebraska 2012 Breach (264294032)
http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 4/45
he breach involved t&o entities
he University of Nebraska Central Administration he -tudent nformation -ystem *450,000 records+
A #erson obtained unauthori6ed administrator access to the studentinformation system database for a##ro"imately 27 hours
he University of Nebraska at Lincoln cam#us he De$ree Audit -ystem *20,218 students+
A #erson *same as above+ obtained de$ree audit system records via a&eb a##lication attack
7
ho )"actly9
![Page 5: University of Nebraska 2012 Breach (264294032)](https://reader034.vdocuments.us/reader034/viewer/2022052608/577cb5941a28aba7118d3a0c/html5/thumbnails/5.jpg)
8/9/2019 University of Nebraska 2012 Breach (264294032)
http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 5/45
UNL Attacks
hat he $ot from the outside &as some, but he&anted more
Used a :N service in -&eden to try to cover histracks• 'eb 20th thru !ay 20th
• -canned a total of 52 systems
• Dum#ed a database from the De$ree Audit systemcontainin$ student information *but no +
;e needed insider access
8
![Page 6: University of Nebraska 2012 Breach (264294032)](https://reader034.vdocuments.us/reader034/viewer/2022052608/577cb5941a28aba7118d3a0c/html5/thumbnails/6.jpg)
8/9/2019 University of Nebraska 2012 Breach (264294032)
http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 6/45
Dar&in
4
![Page 7: University of Nebraska 2012 Breach (264294032)](https://reader034.vdocuments.us/reader034/viewer/2022052608/577cb5941a28aba7118d3a0c/html5/thumbnails/7.jpg)
8/9/2019 University of Nebraska 2012 Breach (264294032)
http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 7/45
UNL :N -etu#
UNL took control of its o&n :N from Central ustmonths before the breach
All University 'acility, -ta3, and -tudents have accessto :N
At the time, all $eneral :N users &ere #ut into onebi$ #ool
'ire&all rules &ere o#en at Central to allo& that #oolthrou$h, instead of ust Admin users
'or unrelated reasons &e had full CA ca#ture on theUNL :N<&hich &e &ill cover later<
5
![Page 8: University of Nebraska 2012 Breach (264294032)](https://reader034.vdocuments.us/reader034/viewer/2022052608/577cb5941a28aba7118d3a0c/html5/thumbnails/8.jpg)
8/9/2019 University of Nebraska 2012 Breach (264294032)
http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 8/45
Nebraska Student Information System (NeSIS) Overview- 2012
!aor com#onents are the eo#le-oft a##lication and the (racledatabase
Central Administration mana$es t&o com#lete instances, one for theUniversity -ystem and one for the Nebraska -tate Colle$e -ystem
Ne-- had been o#erational for t&o years at the time of the breach
=
Ne-- Back$round
![Page 9: University of Nebraska 2012 Breach (264294032)](https://reader034.vdocuments.us/reader034/viewer/2022052608/577cb5941a28aba7118d3a0c/html5/thumbnails/9.jpg)
8/9/2019 University of Nebraska 2012 Breach (264294032)
http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 9/45
UNL
UNCA
UNO
Lincoln
Wayne
WSC
UNKKearney
CSC
Chadron
PSC
NCTACurtis
UNMC
Peru
Omaha
Ne-- consists of 7 Universities
/ -tate Colle$es
1 echnical Colle$e>
2 se#arate environmentsUniversities
-tate Colle$es
Nebraska?Nebraska -tateColle$e -ystem *Ne--+
(ver 8@,000 activeusers in the t&o systems
![Page 10: University of Nebraska 2012 Breach (264294032)](https://reader034.vdocuments.us/reader034/viewer/2022052608/577cb5941a28aba7118d3a0c/html5/thumbnails/10.jpg)
8/9/2019 University of Nebraska 2012 Breach (264294032)
http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 10/45
he Ne-- Database
&hich included --N, name, address, D(B, etc for<Current -tudents
arents
Alumni and non$raduates *se#arated+, many years &orth
'aculty and -ta3 &as never a student at UN yet &as in the student system999
AC?-A otential -tudents f you took the AC?-A in Nebraska or checked a Nebraska school for your scores
his data is &here most of the com#romised --Ns ori$inated
ncluded bank account information for more than 20,000 students
No Credit Cards
670,000 e!ords"#sers$
%&0,000 #sers after de-du'i!ation$
(*at the time of the breach, May 2012)
10
![Page 11: University of Nebraska 2012 Breach (264294032)](https://reader034.vdocuments.us/reader034/viewer/2022052608/577cb5941a28aba7118d3a0c/html5/thumbnails/11.jpg)
8/9/2019 University of Nebraska 2012 Breach (264294032)
http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 11/45
11
echnical Details
![Page 12: University of Nebraska 2012 Breach (264294032)](https://reader034.vdocuments.us/reader034/viewer/2022052608/577cb5941a28aba7118d3a0c/html5/thumbnails/12.jpg)
8/9/2019 University of Nebraska 2012 Breach (264294032)
http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 12/45
;o& Did his ;a##en9
•
he attacker &as a University of Nebraskaat Lincoln student and &as allo&ed :Naccess to internal cam#us resources Aninsider9
nsider Access
• he internal %re&all that #rotects the --(racle database &as o#en to connections
from the :N s#ace &hich students&ere assi$ned
'ire&allCon%$
• he eo#le-oft default E)(L)E user#ass&ord &hich #ermits access to#ass&ords tables durin$ user
authentication &as not chan$ed
Default
ass&ord• he attacker &as, usin$ the )(L)
account, &as able to derive the #lain te"t#ass&ords for the database -F-AD!accounts from the encry#ted form
•
he ;ack
![Page 13: University of Nebraska 2012 Breach (264294032)](https://reader034.vdocuments.us/reader034/viewer/2022052608/577cb5941a28aba7118d3a0c/html5/thumbnails/13.jpg)
8/9/2019 University of Nebraska 2012 Breach (264294032)
http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 13/45
1/
Cyber Gill Chain
Access Hecon )"#loit 'oothold)"%ltrati
on
CAU
I;,
;)
H )
![Page 14: University of Nebraska 2012 Breach (264294032)](https://reader034.vdocuments.us/reader034/viewer/2022052608/577cb5941a28aba7118d3a0c/html5/thumbnails/14.jpg)
8/9/2019 University of Nebraska 2012 Breach (264294032)
http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 14/45
17
:N?'ire&all
'ire&all &as con%$ured *unintentionally+ to allo& :N i# addresses
access to the -- system
Based on the :N connectin$ to the databases it &as easy to trackthat back to a user that &as assi$ned the
;e lo$$ed into the :N &ith his re$ular student D, so very easy totell &ho it &as
(nce &e kne& the user &e could %nd all the e"ternal addresses the:N account lo$$ed in from hree di3erent locations, these &ereturned over to la& enforcement &ithin 27 hours
Lincoln N), his a#artment(maha, turned out to be his !om and Dad.s houseLincoln N), his #lace of em#loyment in *data minin$ com#any+
Access
![Page 15: University of Nebraska 2012 Breach (264294032)](https://reader034.vdocuments.us/reader034/viewer/2022052608/577cb5941a28aba7118d3a0c/html5/thumbnails/15.jpg)
8/9/2019 University of Nebraska 2012 Breach (264294032)
http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 15/45
18
-cannin$?HeconBasically tried various scans and e"#loits three &eeks, !ay 4th to!ay 2/
-cannin$ &ith Linu" 'ree tools like, &e found out about some of thesefrom 'B?D()
N!A *#ort scanner+Nessus *vulnerability scanner+;ydra *net&ork lo$in hacker+-cuba *database vulnerability scanner+Nikto *&eb a##lication scanner+
ried an (racle N- listener attacked for a &hile
<but he Je& under the radarAll the connections he made &ere allo&ed
Hecon
![Page 16: University of Nebraska 2012 Breach (264294032)](https://reader034.vdocuments.us/reader034/viewer/2022052608/577cb5941a28aba7118d3a0c/html5/thumbnails/16.jpg)
8/9/2019 University of Nebraska 2012 Breach (264294032)
http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 16/45
14
)(L)?#eo#1e
eo#le-oft used to be delivered &ith a default user and #ass&ord
his &as the case &hen &e de#loyed the - system in 2010eo#le-oft is no& delivered &ithout a default )(L) #ass&ord,you have to enter one in &hen you install eo#le-oft, this &asdone in the #ast 1=27 months
Ne& installs of =8/ or later you are $ood Fou $et a #rom#t to set a
#ass&ord for the )(L) account U#$raded9 Fou &ill still have thedefault - #ass&ord
eo#le $ets you access to a fe& tables, 2 tables are im#ortant
)"#loit
![Page 17: University of Nebraska 2012 Breach (264294032)](https://reader034.vdocuments.us/reader034/viewer/2022052608/577cb5941a28aba7118d3a0c/html5/thumbnails/17.jpg)
8/9/2019 University of Nebraska 2012 Breach (264294032)
http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 17/45
15
-(HD)'N and -ACC)--H'L
une 12t* Heceived a D:D from 'B?olice &ith %le named
KusertablefromDBcsvM• he data. &as from one of the sei6ed com#uters• 'ile contained 15@,/55 ro&s of Ds and encry#ted and hashed
#ass&ords
ossible to crack these at the time of the breach9
)"#loit9
![Page 18: University of Nebraska 2012 Breach (264294032)](https://reader034.vdocuments.us/reader034/viewer/2022052608/577cb5941a28aba7118d3a0c/html5/thumbnails/18.jpg)
8/9/2019 University of Nebraska 2012 Breach (264294032)
http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 18/45
1=
eo#le -oft Lo$in
his &as at the time of the breach, still may be the case<
!ost eo#le-oft deskto# tools &ork this &ay, all have the default)(L)?#eo#1e user and #ass&ord
User enters valid D and any #ass&ord credentialsA## %rst connects to database usin$ the )(L) databaseaccount
he user O#eo#leO issues a cou#le of select statements to validatethe credentials #rovided Checks if the user e"ists
he O#eo#leO user also $ets the data o&ner usually -F-AD! andthe encry#ted #ass&ord for -F-AD!Deskto# a## disconnects from databaseDeskto# a## decry#ts the -F-AD! #ass&ord
Deskto# a## connects usin$ -F-AD!?#ass&ord to verify theusers #ass&ordDeskto# a## disconnects from database
he user is lo$$ed in )"#loit9
![Page 19: University of Nebraska 2012 Breach (264294032)](https://reader034.vdocuments.us/reader034/viewer/2022052608/577cb5941a28aba7118d3a0c/html5/thumbnails/19.jpg)
8/9/2019 University of Nebraska 2012 Breach (264294032)
http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 19/45
1@
:ice resident of 'inance
!ay 2/, 2012 10P00 #m Central Administration sta3 received
an error messa$e in eo#le-oft An account creation had failed,&hich &as a common occurrence An im#rom#tu investi$ationdetermined it &as result of a :2 account bein$ created
Locked sus#icious accounts immediately and continued tomonitor the a##lication
VP1 is a delivered PS account We loced and stri!!ed !rivile"es#security
$sin" S%S&'M he unloced VP1 and escalated its !rivile"esand lo""ed inloned security !ersons ('enise oin) account into a VP2account
VP2 may "o unnoticed+he creation !rocess of the VP2 account creation failed andalerted our system administrators- .ailed durin" a sync ofaccounts 'oothold
![Page 20: University of Nebraska 2012 Breach (264294032)](https://reader034.vdocuments.us/reader034/viewer/2022052608/577cb5941a28aba7118d3a0c/html5/thumbnails/20.jpg)
8/9/2019 University of Nebraska 2012 Breach (264294032)
http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 20/45
20
)"%ltration9
(/hich /e interru!ted)
![Page 21: University of Nebraska 2012 Breach (264294032)](https://reader034.vdocuments.us/reader034/viewer/2022052608/577cb5941a28aba7118d3a0c/html5/thumbnails/21.jpg)
8/9/2019 University of Nebraska 2012 Breach (264294032)
http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 21/45
21
he Notebook
;ere is &here &e %rst $ot a sense of &hat he &as u# to<
-earch &arrant e"ecuted on !ay 28th La& enforcement sei6edcom#uters and a N()B((G from his home and &ork
La& enforcement asked us to look to see if &e could hel# identify&hat &as in his notebook A lot if it &ould not make sense to an
outsider.
Notes for classes *S 21 .oundations of onstraintProcessin"+
;ostnames and for internal -- systems
-F-AD! #ass&ords for all the databasesPS 'S ncry!t(char*3 int3 char*3 int3 char*3 int)
)"%ltration
![Page 22: University of Nebraska 2012 Breach (264294032)](https://reader034.vdocuments.us/reader034/viewer/2022052608/577cb5941a28aba7118d3a0c/html5/thumbnails/22.jpg)
8/9/2019 University of Nebraska 2012 Breach (264294032)
http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 22/45
22
he Notebook
Notes about Iamblin$ sites
Notes on Banks in CanadaNotes on ho& to moneti6e information $athered;o& and &here to sell
)"%ltration
Net+eeroneybrokers
to. (bit!oin)/urum!*ane (bit!oin)eboney
;e claimed he $oin$ to chan$e his $rades3S4stdnt4rd &as on the same #a$e as the -F-AD!
#ass&ords
5woaI'redator (3N)
Inter!asino - Net+eer-#kas*Inter'oker8!om
![Page 23: University of Nebraska 2012 Breach (264294032)](https://reader034.vdocuments.us/reader034/viewer/2022052608/577cb5941a28aba7118d3a0c/html5/thumbnails/23.jpg)
8/9/2019 University of Nebraska 2012 Breach (264294032)
http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 23/45
2/
CA-
'ull CA- for all his activities 5IB of CA %les )very #acket he
sent or received &as there Luck &as on our side here
e did lots of searches in the CA- and e"tracted and analy6edevery select statement he #erformed and the results
e &ere able to determine, &ith a Quite a bit of certainty, only about
1%0 re!ords &ith --Ns &ere do&nloaded or vie&ed
e &ere able to see everythin$ he did and every bit of data hereceived
;e basically Kfumbled aroundM for a fe& &eeks@@R of the select statements no ro&s returned.
-#lit tunnel :N, traSc for our net&orks &ent throu$h the :N and&as ca#tured &hile $eneral internet traSc did not
;o&ever in the CA- &e sa& all his DN- reQuests:isit some forums and then try other stu3 and fail
![Page 24: University of Nebraska 2012 Breach (264294032)](https://reader034.vdocuments.us/reader034/viewer/2022052608/577cb5941a28aba7118d3a0c/html5/thumbnails/24.jpg)
8/9/2019 University of Nebraska 2012 Breach (264294032)
http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 24/45
27
ublic Hes#onse
![Page 25: University of Nebraska 2012 Breach (264294032)](https://reader034.vdocuments.us/reader034/viewer/2022052608/577cb5941a28aba7118d3a0c/html5/thumbnails/25.jpg)
8/9/2019 University of Nebraska 2012 Breach (264294032)
http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 25/45
Communication
28
![Page 26: University of Nebraska 2012 Breach (264294032)](https://reader034.vdocuments.us/reader034/viewer/2022052608/577cb5941a28aba7118d3a0c/html5/thumbnails/26.jpg)
8/9/2019 University of Nebraska 2012 Breach (264294032)
http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 26/45
Communication
)stablished a sin$le #oint of contact, C-(
'irst ress Helease issued less than 7= hours of discovery ssued other Hs &hen si$ni%cant information needed to be shared
Created dedicated email bo", asked for Questions andans&ered every Question &e could
Built a dedicated &ebsite for the security incident to serve ascentral information site *htt#P??nebraskaedu?security+
)stablished our o&n call center to address s#eci%c Questionsabout a &eek after the %rst #ress release *Tune 1st+
Built &eb a##lication to allo& call center and eventually #ublic
search to see if their data &as #art of breach
!ostly did email noti%cations, very fe& KlettersM sent
24
![Page 27: University of Nebraska 2012 Breach (264294032)](https://reader034.vdocuments.us/reader034/viewer/2022052608/577cb5941a28aba7118d3a0c/html5/thumbnails/27.jpg)
8/9/2019 University of Nebraska 2012 Breach (264294032)
http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 27/45
Call Center
25
Tune 1st 2012, 'riday = days
![Page 28: University of Nebraska 2012 Breach (264294032)](https://reader034.vdocuments.us/reader034/viewer/2022052608/577cb5941a28aba7118d3a0c/html5/thumbnails/28.jpg)
8/9/2019 University of Nebraska 2012 Breach (264294032)
http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 28/45
Ne&s
2=
![Page 29: University of Nebraska 2012 Breach (264294032)](https://reader034.vdocuments.us/reader034/viewer/2022052608/577cb5941a28aba7118d3a0c/html5/thumbnails/29.jpg)
8/9/2019 University of Nebraska 2012 Breach (264294032)
http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 29/45
2@
eakP 8,824
• Heceived over 280 Questions and comments throu$h &ebsitesubmission
• Heceived 484 calls to call center Tune 1st to 5th
• eb traSc #eaked the %rst four days and steadily decreased
ublic Hes#onse
Lasted for t&o years, every ne&s story and every court #roceedin$refocused attention an brou$ht ne&s stories and #hone calls
![Page 30: University of Nebraska 2012 Breach (264294032)](https://reader034.vdocuments.us/reader034/viewer/2022052608/577cb5941a28aba7118d3a0c/html5/thumbnails/30.jpg)
8/9/2019 University of Nebraska 2012 Breach (264294032)
http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 30/45
/0
m#act
December 22nd 2012, ;a##y ;olidaysV
![Page 31: University of Nebraska 2012 Breach (264294032)](https://reader034.vdocuments.us/reader034/viewer/2022052608/577cb5941a28aba7118d3a0c/html5/thumbnails/31.jpg)
8/9/2019 University of Nebraska 2012 Breach (264294032)
http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 31/45
/1
m#act
December 22nd 2012, ;a##y ;olidaysV
![Page 32: University of Nebraska 2012 Breach (264294032)](https://reader034.vdocuments.us/reader034/viewer/2022052608/577cb5941a28aba7118d3a0c/html5/thumbnails/32.jpg)
8/9/2019 University of Nebraska 2012 Breach (264294032)
http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 32/45
/2
12 Char$es
• 2 violations of -ection 1= of U- Code 10/0 *a+*8+*A+, felonies&ith u# to 10 years im#risonment
1= U- Code W 10/0 'raud and related activity in connection &ith com#uters*a+hoeverX *8+
*A+ kno&in$ly causes the transmission of a #ro$ram, information, code, or
command, and as a result of such conduct, intentionally causes damae &ithout
authori6ation, to a #rotected com#uterY
• 10 violations of -ection 1= of U- Code 10/0*a+*2+*C+,misdemeanors &ith no more than 1 year im#risonment
1= U- Code W 10/0 'raud and related activity in connection &ith com#uters*a+hoeverX
*2+ intentionally accesses a com#uter &ithout authori6ation or e"ceeds authori6ed
access, and thereby obtainsX *C+ information from any #rotected com#uter
December 22, 2012
![Page 33: University of Nebraska 2012 Breach (264294032)](https://reader034.vdocuments.us/reader034/viewer/2022052608/577cb5941a28aba7118d3a0c/html5/thumbnails/33.jpg)
8/9/2019 University of Nebraska 2012 Breach (264294032)
http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 33/45
//
-ub#oena *email D'+
19 mont*s after t*ein!ident12 mont*s after bein
!*ared
![Page 34: University of Nebraska 2012 Breach (264294032)](https://reader034.vdocuments.us/reader034/viewer/2022052608/577cb5941a28aba7118d3a0c/html5/thumbnails/34.jpg)
8/9/2019 University of Nebraska 2012 Breach (264294032)
http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 34/45
/7
lea
led $uilty to 1 felony violation of -ection 1= of U- Code 10/0 *a+
*8+*A+1 felony and 10 misdemeanors &ere dismissed-i" months of &ork release from a half&ay house in CouncilBlu3s A-i" month house arrest *ankle bracelet+
hen 2 years su#ervised release *#robation+
ay restitution
Senten!ed uy 2: 201: he -tratman family collected the restitution money and#resented it at sentencin$ ho#in$ the ud$e &ould take thatinto consideration, he did not he ud$e &as #retty clear to-tratman the money #aid by his family must be #aid back tothem
![Page 35: University of Nebraska 2012 Breach (264294032)](https://reader034.vdocuments.us/reader034/viewer/2022052608/577cb5941a28aba7118d3a0c/html5/thumbnails/35.jpg)
8/9/2019 University of Nebraska 2012 Breach (264294032)
http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 35/45
/8
Hestitution
otal dama$es claimed by the University &as ;<02,&<9800 otal allo&ed by the court &as ;107,7228%9Hestitution a&arded and #aid &as ;107,7228%9
!ost of the restitution &as our consultant costs e couldactually #rove &e s#ent that money )[CLU-:LF for the
breach
e could not #rovide enou$h details to #rove most of thedama$es and costs he ud$e thre& out those and onlyallo&ed the 105G in dama$es and restitution
f &e.d had actually shut do&n the -- system, dama$es andchar$es &ould have also increased
ude= >?ou are free to try and re!overt*e rest of t*e damaes in !ivi !ourt8@
![Page 36: University of Nebraska 2012 Breach (264294032)](https://reader034.vdocuments.us/reader034/viewer/2022052608/577cb5941a28aba7118d3a0c/html5/thumbnails/36.jpg)
8/9/2019 University of Nebraska 2012 Breach (264294032)
http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 36/45
/4
Hestitution
Any institutions here, &ho e"#erienced a breach, recover some or allof their costs9
![Page 37: University of Nebraska 2012 Breach (264294032)](https://reader034.vdocuments.us/reader034/viewer/2022052608/577cb5941a28aba7118d3a0c/html5/thumbnails/37.jpg)
8/9/2019 University of Nebraska 2012 Breach (264294032)
http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 37/45
/5
(ur Costs
otal ;<02,&<9800 his is the number &e submitted to the
court• UNCentral Administration -ta3 */,1278 hours+ \182,000• UNLincoln -ta3 *80= hours+ \27,000 *estimate+• Call Center \1,800• Letter re# and rintin$ \/28• osta$e \//0
• -tora$e \500 *51B U-B Drives+• UNCA Consultant \2@,000• UNL Consultant \=0,000• )nCase for UNL \15,000
1%0 re!ords " ;<0<A B ;2,000 'er re!ord
%&0k re!ords " ;<0<A B ;08%1 !ents 'er re!ord
45M2012
![Page 38: University of Nebraska 2012 Breach (264294032)](https://reader034.vdocuments.us/reader034/viewer/2022052608/577cb5941a28aba7118d3a0c/html5/thumbnails/38.jpg)
8/9/2019 University of Nebraska 2012 Breach (264294032)
http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 38/45
/=
Lessons, akea&ays,
(bservations, HeJections, and(h By the ay<
![Page 39: University of Nebraska 2012 Breach (264294032)](https://reader034.vdocuments.us/reader034/viewer/2022052608/577cb5941a28aba7118d3a0c/html5/thumbnails/39.jpg)
8/9/2019 University of Nebraska 2012 Breach (264294032)
http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 39/45
)volution of the Breach
otential m#act Con%rmedm#act
Days WeeksMonths
![Page 40: University of Nebraska 2012 Breach (264294032)](https://reader034.vdocuments.us/reader034/viewer/2022052608/577cb5941a28aba7118d3a0c/html5/thumbnails/40.jpg)
8/9/2019 University of Nebraska 2012 Breach (264294032)
http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 40/45
Communication Dilemma
L ? k
![Page 41: University of Nebraska 2012 Breach (264294032)](https://reader034.vdocuments.us/reader034/viewer/2022052608/577cb5941a28aba7118d3a0c/html5/thumbnails/41.jpg)
8/9/2019 University of Nebraska 2012 Breach (264294032)
http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 41/45
71
Lessons?akea&ays
Chan$e the )(L) #ass&ord
his is the best &ay to #rotect your database
A##ly your #atches A-A he N- listener attack he tried (racle #atched in their A#ril 2012CU(ctober 2017 eo#le-oft u#date increases com#le"ity of hashes
Hevie& your :N setu#Hun an discovery scan *nma#+<before someone else does
Hevie& data retention #oliciesBreach im#act could have been lessened if unneeded records had
been removed from the system
L ? k
![Page 42: University of Nebraska 2012 Breach (264294032)](https://reader034.vdocuments.us/reader034/viewer/2022052608/577cb5941a28aba7118d3a0c/html5/thumbnails/42.jpg)
8/9/2019 University of Nebraska 2012 Breach (264294032)
http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 42/45
72
Lessons?akea&ays
Gee# track of your hours durin$ a breach investi$ationGey #layers kee# notes on time s#ent-ummaries and estimates &on.t cut it in court
Gee# track of all e"#ensesHemember to note the details
-ummaries and estimates &on.t cut it in court
he &heels of ustice turn very slo&ly(ver t&o years for it to be resolved
lan on educatin$ the #rosecutor
(ur DBA and eo#le-oft security #ersons s#ent hours $ettin$him u# to s#eed Four #rosecutor selection is based on luck, &e &ere unlucky
L ? k
![Page 43: University of Nebraska 2012 Breach (264294032)](https://reader034.vdocuments.us/reader034/viewer/2022052608/577cb5941a28aba7118d3a0c/html5/thumbnails/43.jpg)
8/9/2019 University of Nebraska 2012 Breach (264294032)
http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 43/45
7/
Lessons?akea&ays
he rosecutor &as and &ill be obsessed &ith Kdama$esMrosecutors need and &ant a dollar amountDama$es is an escalator for the o3encef it &ere not for the fact he deleted some audit records &e maynot have been able to #rove he actually dama$ed. anythin$
Defense &ill focus on the dama$es and dis#uted themDetails and documentation is very im#ortant Fou must be able to #rove dama$es hey must hold u# to scrutiny Fou may have to testify and be cross e"amined about time s#ent
Gno& your cam#us resources, and build relationshi#se had a relationshi# &ith G and faculty runnin$ theinformation Assurance ro$ram at G
L ? k
![Page 44: University of Nebraska 2012 Breach (264294032)](https://reader034.vdocuments.us/reader034/viewer/2022052608/577cb5941a28aba7118d3a0c/html5/thumbnails/44.jpg)
8/9/2019 University of Nebraska 2012 Breach (264294032)
http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 44/45
77
Lessons?akea&ays
f you catch the hacker you can dra$ out a breach for years, in our
case t&o years<but you mi$ht recuo#e some or all of your costs
All #eo#le &ill remember is the BI numbers*htt#P??&&&#rivacyri$htsor$?+
f !r -tratman had come clean &hen the olice sho&ed u# at hisa#artment on !ay 28th 2012, he &ould have likely avoided most of
&hat ha##ened to him, cost and felonies robably 1 misdemeanorand diversion, no criminal record
![Page 45: University of Nebraska 2012 Breach (264294032)](https://reader034.vdocuments.us/reader034/viewer/2022052608/577cb5941a28aba7118d3a0c/html5/thumbnails/45.jpg)
8/9/2019 University of Nebraska 2012 Breach (264294032)
http://slidepdf.com/reader/full/university-of-nebraska-2012-breach-264294032 45/45
]uestions9
s there anythin$ you can.t tell us9
hat have you done since the breach9
Did the University have Cyber nsurance9
hy did it take you so lon$ to share this information9
Anythin$ chan$ed at your or$ani6ation because of the breach9