'Stakes go up' for university tech security

CEDAR FALLS — One year ago, after filing their tax returns, hundreds of University of Northern Iowa employees received error messages. Their taxes already had been filed, meaning someone else had done it for them in an apparent attempt to fraudulently claim potential refunds.

In the end, 270 UNI employees were affected by the apparent breach, and 1,644 of the university's total 1,800-plus employees took advantage of free credit monitoring — just in case their information had been compromised.

State and federal law enforcement launched an investigation, which continues today. And UNI recently extended free credit monitoring services for a second year, bringing its total spent responding to the breach to $126,261 to date, according to UNI spokesman Scott Ketelsen.

A year earlier, Kirkwood Community College spent upward of $500,000 after hackers gained access to eight years of application data that might have included names, birth dates, contact information and Social Security numbers for more than 125,000 people.

And two months after the UNI breach surfaced, Iowa State University discovered a hack affecting five departmental servers on campus that contained Social Security numbers of 29,780 students enrolled from 1995 to 2012.

With an ever-increasing amount of information being stored electronically, including at public universities, specialists are hustling to keep ahead of technology-savvy criminals seeking to gain access to private data.

'As more and more of our important information goes online, more and more people want to get at it,' said Steve Fleagle, University of Iowa chief information officer and director of information technology services. 'The stakes go up.'

Iowa's public universities each have policies and practices around keeping electronic information secure, and Fleagle said those are ever evolving as technology changes, criminal techniques shift and lessons are learned.

'It's a good thing to talk to folks and know what's going on,' Fleagle said. 'If they are seeing it, we better known what's going on as well.'

'Get it right every time'

At the UI, an Information Security and Policy Office is charged with keeping data safe by — among other things — educating users, sharing best practices, updating policies and coordinating incident responses.

Fleagle said the office's recent modernization strategies have included moving servers to a physically secure location and installing firewalls for those with sensitive data.

The university also is decreasing the places it needs to protect by reducing duplication of sensitive data. And it now requires a 'two-factor authentication' for staff wanting to access personal information.

Among the policies being updated is one related to mobile devices. When possible, Fleagle said, employees are advised not to store sensitive data on phones, tablets or the like. Those who do are required to encrypt their devices, he said.

'One of the things that is challenging is that we have to get it right every time,' Fleagle said. 'The bad guys only have to get it right once.'

Information technology is among the areas the Board of Regents recently analyzed as part of an efficiency review of its public universities. None of the adopted recommendations specifically addressed information security, but Fleagle said improved efficiency could aid the institutions in protecting data.

'One of the things the efficiency review has done is provide more visibility into IT,' Fleagle said. 'By having visibility more concentrated, we will be able to find things more quickly. And if we know about a threat, we can go more quickly and remedy it.'

'Always looking for new opportunities'

ISU officials, in a recent proposal to implement IT-related efficiency suggestions, raised the issue of security and identified potential improvements aimed at avoiding extra costs and protecting the institution's reputation and financial health.

'Although the (efficiency) study does not place a priority on information security, ISU will incorporate a comprehensive information security effort within our efficiency and effectiveness plan,' according to the proposal.

That effort will include encrypting all university-owned laptops and scanning campus systems for security vulnerabilities, among other strategies.

Jim Kurtenbach, vice president and chief information officer for ISU, said ensuring private information is secure is a job that's never done.

'We are constantly examining how we conduct our security training protocols,' he said. 'And every time there is a high-profile breach …

. We all learn as much as we can and examine our vulnerabilities.'

Public universities can be especially attractive to potential hackers because they are, by nature, open enterprises inviting people to come both in person and electronically to learn, Kurtenbach said.

'So we are always looking for new opportunities to do what we can do to keep data secure,' he said. 'Just as all the hackers are trying to attack, we are trying to defend in new and different ways.'

In a recent update to last year's breach at UNI, officials indicated hacks are becoming more common — citing a recent CNN article reporting hackers exposed personal information of about half the U.S. adults in the past 12 months.

'While UNI is not alone in being victimized, the resolve of the IT and operating staff will continue to strengthen systems and operations to protect personal information,' according to Michael Hager, senior vice president for administration and financial services.

IN DEPTH LOOK: Questions emerge around UNI administrator, tax breach

Months after a suspected breach of private information at University of Northern Iowa emerged, an investigation into its cause still is ongoing.

In response to the breach first identified in February 2014, UNI officials in September debated ways to secure 'institutional research servers,' including locking accounts belonging to Shashi Kaparthi, an associate professor who served as the university's chief information officer until recently.

In a Sept. 10 email — which was among a collection of emails obtained by The Gazette — a UNI official updated administrators on actions taken to secure servers possibly related to the information breach, including removing Kaparthi's ability to log in and his access applications as an administrator.

'We cannot say that in developing the systems that there is not a 'back door' he has access to,' UNI's Interim Director of IT Services Kevan Forest wrote in the email. 'We have seen no evidence of this, but at this point can't exclude it as a possibility.'

Forest told administrators they also were changing database passwords, cataloging applications Kaparthi created, and documenting maintenance procedures 'only Shashi or few others know,' according to the emails.

'One question which has been discussed several times is if we can contact Shashi and ask him questions on these systems,' Forest wrote. 'It would definitely save quite a bit of time, but we are not certain of what kind of contact, if any, you want us to have.'

In response to questions around the need to lock Kaparthi's accounts, disable his access to servers and applications, and catalog applications he created, UNI spokesman Scott Ketelsen said that is not unusual.

'Changing account access levels is common practice when an employee changes job responsibilities,' Ketelsen said.

Kaparthi joined the UNI faculty in 1992 and remains a tenured associate professor in the College of Business. Ketelsen did not provide a reason for Kaparthi's departure from his role as chief information officer but said he doesn't believe the move was an administrative demotion.

'But I don't know because the investigation is ongoing,' Ketelsen said. 'I don't know who decided on the change in position.'

Kaparthi did not respond to requests from The Gazette for an interview.

In February 2014, upon discovering the potential tax breach that affected 270 UNI employees and cost the institution $126,261 to date, Kaparthi was looped into much of the discussion about how to respond, according to the emails obtained by The Gazette.

As chief information officer at the time, Kaparthi was consulted on matters including use of a risk assessment service, review of data files for a possible source of the breach, investigation of recent phishing attempts, and scans of file servers and work stations.

Those initial efforts failed to identify a source of the potential breach, which emerged when UNI employees started filing their taxes last winter and learned someone else already filed for them. Presumably, hackers wanted to redirect potential refunds into fraudulent bank accounts, but Ketelsen said no UNI employees lost money in the breach.

The investigation into the cause of the breach continues today, involving university departments and state and federal law enforcement, Senior Vice President for Administrative and Financial Services Michael Hager wrote in a December letter to employees.

Investigators identified two threats as problematic, according to Hager, including a computer server that was 'operating outside the established standards of Information Technology Services and outside professional best practices.'

'Because of this, the server had potential vulnerabilities including allowing possible unauthorized access to sensitive data,' Hager wrote in the letter. 'Had this sever been operating with best practices established by ITS, the potential vulnerabilities would likely have been prevented.'

In September, according to emails obtained by The Gazette, officials — including UNI President William Ruud — shared concerns around the institutional research server, which was associated with Kaparthi in the emails.

'Is it secure? Has it been compromised? Is there sensitive data on it?' interim ITS director Forest asked in a Sept. 15 email.

'It's not secure,' Ken Connelly, associate director of security and systems, replied, adding that staff were improving security that would make it 'tentatively secure.'

Connelly said in email that although he hadn't found any direct signs of infection, 'I do, however, think that the chances of that machine being instrumental in the identity theft suffered by UNI faculty and staff are significant.'

Eric Lukens, IT security policy and risk assessment analyst, also said the server was not secure.

'There are several vulnerabilities, coding issues, and poor practices that necessitate a complete rewrite of code and migration to a new server,' Lukens replied. 'The underlying problems are quite severe.'

Hager in his December letter to faculty and staff, said a questionable server was removed from service and replaced with a virtual machine 'managed by appropriate ITS staff.'

He also told employees that investigators uncovered numerous phishing attacks, including one that continues to be reviewed by law enforcement. Despite those leads, Hager said UNI might never know the source of the breach.

'Given the fleeting nature of certain aspects of technology, unfortunately we have been told definitive proof may not be found,' he wrote.

With another tax season here, UNI administrators were wary criminals might try to use the personal information obtained last year and extended for one year the free credit monitoring service 1,644 employees took advantage of in the wake of the potential breach.

Spokesman Ketelsen said no UNI employees have experienced similar difficulties filing taxes this year, and servers identified in emails as potentially problematic are secure.