Case Study: The Hack At UC Berkley
Case Study: The Hack At UC Berkeley
Hackers broke into a computer at the University of California at Berkley recently and gained access to 1.4 million names, social security numbers, addresses, and dates of birth that were being used as part of a research project. The FBI, the California Highway Patrol, and California Department of Social Services were investigating the incident. Security personnel were performing a routine test of intrusion detection when they noticed that an unauthorized user was attempting to gain access to the computer. A database with a known security flaw was exploited, and a patch was available that would have prevented the attack. The negligence in attending to the known security flaw appears to be a common mistake among institutes of higher learning in the state. Banks, government agencies, and schools are known to be the top targets for hackers. Hackers may attack financial institutions in an effort to profit from the crime, and government agencies to gain notoriety. Private companies generally have made at least some effort to ensure that data is secure, but hackers attack institutes of higher learning often because there are frequent lapses in security. This not only presents a problem for the university, but also is a danger to other entities, since denial of service attacks may be generated from the compromised university computers. One of the problems at universities may be the lack of accountability or of an overarching department that has authority to oversee all systems, and limit modifications. In the name of learning, many less qualified individuals, sometimes students, are given authority to make modifications to operating systems and applications. This presents a continuing problem for administrators and represents a threat to all who access the Internet.
1. Name policies and procedures that would enable universities to limit vulnerabilities while still allowing students access to systems.
2. Ultimately, who should be held accountable for ensuring a sound security policy is in place?
3. Who at your school is responsible for maintaining a security policy and how often is it updated?