2016 NDUS IT Security Review

Agency: University System Report Date: December 21, 2016
Type: IT Security Review LAFRC Date: March 6, 2017
Issued By: L.R. Kimball/Command & Control Technologies Period: September 12-October 20, 2016

 

 

 

 

 

[pdf] Download Report

 

Executive Summary

Information technology (IT) security practices are critically important for the North Dakota University System and its institutions to protect large amounts of sensitive and confidential information that are stored on their computer systems, including information for more than 45,000 students and 11,000 faculty and staff . Universities are attractive targets for computer hackers because they traditionally have a strong culture of academic freedom that values open access to information and a free exchange of ideas. By providing numerous computer labs and high-capacity internet access that allows for the exchange of information at high speeds, universities not only accommodate their many users, but also create an attractive target for computer hacking. University IT security problems are occurring more often through weaknesses in network and web-based computer programs and (applications) as well as via social engineering techniques.


On behalf of the North Dakota State Auditor and the North Dakota University System, from September 12 to October 20, 2016, Team Kimball (the team) carried out external and internal vulnerability assessments of the networks associated with the North Dakota University System (NDUS). These networks consisted of the following campuses as well as NDUS networks in the listed locations: Bismarck State College (BSC), Dakota College at Bottineau (DCB), Dickinson State University (DSU), Lake Region State College (LRSC), Mayville State University (MASU), Minot State University (MISU), North Dakota State College of Science (NDSCS), North Dakota State University (NDSU), NDUS Offices (Fargo, Bismarck, Grand Forks), University of North Dakota (UND), Valley City State University (VCSU), Williston State College (WSC).

 

Findings

  • Missing Software Patch or Required Upgrade
  • Unsupported Operating Systems
  • Easily Guessed or Default Credentials
  • Systems with well-known Vulnerabilities
  • Cleartext Password
  • SSL Certificate Issues
  • Unsupported Web Server
  • Cross-Site Scripting
  • Structured Query Language (SQL) Injection