2014 NDUS IT Security Review

Agency: University System Report Date: December 31, 2014
Type: IT Security Review LAFRC Date: January 29, 2015
Issued By: L.R. Kimball/TeleCommunication Systems Period: October 1-October 31, 2014

 

 

 

 

 

[pdf] Download Report

 

Executive Summary

Information technology (IT) security practices are critically important for the North Dakota University System and its institutions to protect large amounts of sensitive and confidential information that are stored on their computer systems, including information for more than 47,000 students and 11,000 faculty and staff . Universities are attractive targets for computer hackers because they traditionally have a strong culture of academic freedom that values open access to information and a free exchange of ideas. By providing numerous computer labs and high-capacity internet access that allows for the exchange of information at high speeds, universities not only accommodate their many users, but also create an attractive target for computer hacking. University IT security problems are occurring more often through weaknesses in network and web-based computer programs and (applications) as well as via social engineering techniques.


On behalf of the North Dakota State Auditor and the North Dakota University System, from October 1 to October 31, 2014, Team Kimball (the team) carried out external and internal vulnerability assessments on the networks associated with the North Dakota University System (NDUS). These networks consisted of the following campuses as well as NDUS networks in the listed locations: Bismarck State College (BSC), Dakota College at Bottineau (DCB), Dickinson State University (DSU), Lake Region State College (LRSC), Mayville State University (MASU), Minot State University (MISU), North Dakota State College of Science (NDSCS), North Dakota State University (NDSU), NDUS Offices (Fargo, Bismarck, Grand Forks), University of North Dakota (UND), Valley City State University (VCSU), Williston State College WSC).

 

 

Findings

  • Unsupported Operating Systems
  • Missing Software Patch or Required Upgrade
  • Easily Guessed or Default Credentials
  • Unsupported Web Server
  • Systems with well-known exploits
  • Publicly Accessible Web Applications
  • Firewall/NAT
  • Cross-site Scripting
  • Cleartext Password
  • Session Token in URL
  • SQL Injection
  • Serialized Object in HTTP message