It's been almost a year since a huge data breach exposed the Social Security numbers of students, staff and faculty, both present and former at the University of Maryland College Park (UMCP), but a state audit has revealed that flaws in the university's network security, many identified by an audit five years ago, still exist.
In a letter accompanying the audit report of the university's Division of Information Technology, Thomas J. Barnickel III, an auditor in Maryland's Office of Legislative Audits, said the school's main campus in College Park, Md., had not used firewalls to secure all “network segments from the Internet and untrusted portions of its internal network.”
And in some instances where firewalls were used they “allowed insecure and unnecessary connections to critical data center to critical data center computer resources,” Barnickel wrote. The intrusion system, too, hadn't been configured to monitor traffic from all untrusted stories.
Like many organizations, UMCP hadn't kept current on updates to its anti-malware software. The audit found the IT department, which had an approximately $50 million budget and a force of 419 fulltime and contract employees in fiscal 2014, “didn't ensure anti-malware software was installed, up-to-date, and operating properly” on the computers it operates.
While the state was conducting its audit, UMCP experienced a massive breach to its identity card database. The audit report noted that the attack compromised “multiple computer resources hosted or maintained” by the IT department, and took “advantage of certain security weaknesses” such as publicly accessible website and server, the system that hosted IT department employee credentials, critical application source code associated with the ID card database as well as the database's userid and password.
UMCP's Cybersecurity Task Force had made 18 recommendations for the university in June, two months after a second breach, among them, minimizing the number of systems that contain confidential information, isolating that information, conducting period penetration testing and creating an IT security advisory committee.
While the audit report noted that UMCP and the task force had apparently taken appropriate steps to assess and mitigate risks associated with confidential data retention and transmission “due to the focus of the Task Force being primarily the security over confidential data, those actions may not fully address” the audit report's findings.