Question
Virginia Evans listened intently as the Board of Visitors (BOV) deliberated budgetary issues within the Board Room of the Rotunda, the centerpiece of Thomas Jefferson's
Virginia Evans listened intently as the Board of Visitors (BOV) deliberated budgetary issues within the
Board Room of the Rotunda, the centerpiece of Thomas Jefferson's Academical Village.
As the University of Virginia's(UVA's) chief information officer (CIO), Evans had been asked to attend the two-day meeting in
case any questions related toUVA's
information systems came up. The first day had been relatively uneventful,
but then Evans felt her phone vibrate. A quick glance down revealed a message marked urgent
she was being asked to call UVA's chief information security officer immediately.
A few minutes later, just outside the Board Room, Evans learned the news that would turn her summer
upside down. Federal authorities had discovered that possible nation-
state actors had access to UVA's systems, and they could only guess at the cyberattackers'intent. During a break, Evans sought out Pat Hogan, UVA'sexecutive vice president and chief operating officer, to inform him of what was going on. Together, they decided that the best course of action was to brief the BOV while its members were still in town. There was no question
that this sudden news could have a dramatic impact on UVA's community at large, and quite possibly on
Evans's
career. There had been many examples in the news of both private- and public-sector CIOs who had
their careers altered by cyberattacks. To manage the remediation effort successfully, Evans felt she needed to
gain the BOV's support, not just financially but organizationally. The following day, that's exactly what she set
out to do.
During a closed meeting on Friday, June 15, 2015, Evans advised the BOV that
UVA's
information systems
had experienced a "major security breach." The BOV responded with a slew of questions: "What are they
after?" "Are our students safe?" "Has any personally identifiable information (PII) been compromised?" While
Evans could answer some of the questions, the answers to most would require a thorough investigation, and a
planned, full remediation of the cyberattack. She promised to keep the BOV informed and report back at the
next meeting. The next few months would be like nothing she had ever experienced
The University of Virginia: A Top-Ranked Public University
UVA was a major public research university and the flagship academic institution for the Commonwealth
of Virginia. Founded in 1819 by the third president of the United States, Thomas Jefferson, UVA was known
for its historic foundations, student-run honor code, and secret societies. Throughout its history, UVA had
won praise for its unique Jeffersonian architecture, with the original design revolving around the Academical
Village and Rotunda
UVA's most recognizable symbol. The United Nations Educational, Scientific and
Cultural Organization (UNESCO) had designated UVA as America's first and only collegiate World Heritage
Site in 1987, an honor shared with
Jefferson's
nearby home, Monticello.
2
Since its founding, UVA had continued its mission to develop future leaders who were well prepared to
shape the future of the nation and the world
a testament to its original governing BOV, which had included
Thomas Jefferson, James Madison, and James Monroe. In 2015, UVA comprised 11 schools in Charlottesville,
Virginia, plus the College at Wise in southwestern Virginia, while offering 48 bachelor's degrees, 94 master's
degrees, 55 doctoral degrees, and a number of other professional degrees. The institution was ranked in the top
two public universities in the nation, accepting only the best students (around 90% of students admitted were
in the top 10% of their high school graduating class) and those who showed the exceptional promise Jefferson
envisioned. Approximately 22,000 students were taught by 2,800 full-time faculty, and were supported by just
over 10,000 full-time staff.
UVA's total annual budget in 2015 was
$3.07 billion. It was interesting to note that despite being a public
university, less than 6% of UVA's operating budget came from the Commonwealth of Virginia. An additional
17% came from tuition and fees, almost 50% from medical patient services, over 10% from research and
development of intellectual property, and roughly 12% from gifts and endowments. Numbers like these
prompted some to call UVA a privately funded public university.
Information Technology Services (ITS)
In addition to its exceptional academic reputation, UVA was known to be a leader in its use of information
technology (IT) within higher education. A central component in
UVA's
use of IT was the ITS organization,
whose mission was to "be a trusted partner and strategic resou
rce to the University community, aligning
technology to advance the
University's
mission."
In 2015, ITS had 240 employees and an operating budget of
3
$50 million.
Evans had served as UVA's CIO since February 2014. In her role, Evans was the leader of
ITS, responsible
for planning and coordinating central IT infrastructure, applications, and support, as well as information
security, policy, and records management. Evans had over 25 years of IT experience, ranging from IT consulting
with Andersen Consulting and independent IT consulting, to over 20 years managing IT at UVA at both the
central and school levels. She held a bachelor's of science with a concentration in accounting from the
University of North Carolina at Chapel Hill and a master's of
science in management information systems from
UVA's
McIntire School of Commerce, where she had also served as an adjunct professor teaching business
process-reengineering classes at the graduate level.
Cyberattacks: A Growing Threat to Companies, Agencies, and Universities
2014 was considered by many experts to be the year of the cybersecurity breach, and 2015 was shaping up
to be even worse. Megabreaches, or breaches where more than one million records were stolen, had become
common in the news. Private-sector companies such as Home Depot and JPMorgan Chase & Co. revealed that
millions of their customer records had been stolen, while Anthem reported that PII had been stolen from 80
million of its health-insurance customers. In the public sector, a cybersecurity breach at the U.S. Office of Personnel Management exposed more than 21 million
citizens'
PII, which included background-check
information (e.g., fingerprints, financial histories, and so on).
Universities were also fast becoming a favorite target of cybercriminals and dangerous state actors
in
large part because of their openness and decentralized nature. In fact, it was estimated that 25% of all security
breaches took place in higher education. Pennsylvania State University (Penn State), Harvard University, Johns
Hopkins University, Rutgers University, and the University of Maryland all suffered security breaches in the
2014
-
15 academic year. Universities could be a prime target because they often had significant research
intellectual property and vast stores of PII and financial information, including payment information from
students and tax information for employees. In 2015, Symantec reported that universities were the third most
popular target for cybercriminals behind health care and retail, with cybercriminals targeting financial assets and
intellectual property, and looking to acquire information that could be used for political motivations.
4
Cyberattacks could be very costly to universities. For example, Penn State spent over $2.85 million to
remediate a data breach in its College of Engineering,
and the University of Maryland's breach, which affected
5
more than 300,000 current and former students, cost the university an estimated $3 million to recover and
mitigate.
6
At the time of the UVA cyberattack, the three most common attack methods were (1) spear phishing, (2)
unpatched systems, and (3) zero-day exploits. Spear phishing had evolved from phishing, which involved
sending millions of e-mails asking the victims to click on a malicious link or download an infected file. Over
the years, criminals had started to select only a few victims in an organization, tailoring the e-mail messages to
these employees, which was known as spear phishing. Spear phishing was an attack on human vulnerabilities
and remained the most popular and effective attack vector. In 2015, on average, criminals sent spear phishing
e-
mails to 18 individuals within an organization they targeted. This tactic made it very difficult for the spam
filters and automated phishing-detection systems to spot spear phishing.
The next typical attack vector was identifying and attacking computer systems that had not been patched
properly. Patches were software updates installed on computers that fixed a known system vulnerability.
Typically, software vendors such as Microsoft, Apple, and Adobe pushed patches on a regular basis. The
amount and variety of software vendors that sent patches often made it difficult to manage all the updates to
the computer systems.
UVA's ITS managed several hundred servers for a variety of workgroups that ran a
myriad of applications and services. Also, there were hundreds of computers used by university employees and
hundreds more in student computer labs that needed to be constantly patched. Further complicating patch
management was the fact that students, staff, faculty, and visitors could connect almost any Internet device to
UVA's network. ITS had very little control over how and when these devices were updated with the latest
security patches.
The last typical vector for attack was zero-day exploits, which were not publicly known and did not have a
patch or workaround available to fix the security hole. The name
"zero day"
came from how many days an
organization had known about the vulnerability. Although rare, zero-day exploits were severe and very difficult
to detect and mitigate. Typically, zero-day exploits were created and used by state actors or very sophisticated
cybercriminals. In 2015, there were only 24 zero-day vulnerabilities reported
The most common way to mitigate all three of these attacks was through a "defense in depth" IT security
model. Defense in depth, or castle defense, was a layered approach originally conceived as a military tactic. The
military defensive system typically used an outer wall to protect its citizens, a castle to protect more important
resources, and a keep to protect the most valuable assets such as the king or queen. In an IT security context,
a similar conceptualization was used, where the most sensitive information was identified and protected by
many layers of systems.
Exhibit 1
shows the primary layers of defense that were in place at UVA at the time
of the attack.
Layer 0, also known as "the kernel," included servers that held the most sensitive university data.
Technological and process defenses were built around this layer so that only a few people and services could
access the data. This protection technique was called hardening. The next layer of protection, Layer 1, included
servers that employees and students could access using their log-in credentials (e.g., username and password),
including e-mail servers, web applications, and so on. The final layer of defense, Layer 2, included all employee
and student devices and local servers that held no sensitive information. In this layer, there was also a segmented
area for research computers used by faculty and scientists at UVA that needed to be accessed from external
organizations. No sensitive information was supposed to reside on these servers, and these servers could not
access the rest of the UVA network. The ultimate goal of the defense-in-depth model was to harden the
perimeter of the network while maintaining a secure kernel, detect unauthorized access to resources, and react
to security incidents as they occurred. In
UVA's
case, the cyberattack had been detected by a federal government
agency that promptly notified
UVA's
chief information security officer, who, in turn, contacted her boss, Evans.
The Rise of the Phoenix Project
When Evans left the BOV meeting, the first thing she did was call Mandiant, an internationally recognized
cybersecurity firm. Coincidentally, she had recently attended a conference where she learned how Mandiant
had helped Penn State navigate its cyberattack, and fortunately, she still had the Mandiant representative's card
in her wa
llet! The second order of business was to get a contract signed with Mandiant, which cleared UVA's
Procurement Office in record time. Evans exclaimed, "Responding as quickly as you can is important because
you
don't know what the attackers are
doing!"
Answer questions
Phoenix case: prepare answers to the following questions:
1. What did Evans do well in the period between first learning of the breach and assembling the Phoenix project team? What could she have done differently/better? 2. Evans and German are now at a point where they have teams formed, an end goal in mind, and a hard deadline - what project management methodology would be best suited to accomplishing the goals of the project in a timely manner? 3. This project is unique in that it required absolute secrecy. What special considerations or project management tactics are necessary when managing a project where confidentiality is of utmost importance?
Step by Step Solution
There are 3 Steps involved in it
Step: 1
Get Instant Access to Expert-Tailored Solutions
See step-by-step solutions with expert insights and AI powered tools for academic success
Step: 2
Step: 3
Ace Your Homework with AI
Get the answers you need in no time with our AI-driven, step-by-step assistance
Get Started