Virginia Evans listened intently as the Board of Visitors (BOV) deliberated budgetary issues within the

Board Room of the Rotunda, the centerpiece of Thomas Jefferson's Academical Village.

As the University of Virginia's(UVA's) chief information officer (CIO), Evans had been asked to attend the two-day meeting in

case any questions related toUVA's

information systems came up. The first day had been relatively uneventful,

but then Evans felt her phone vibrate. A quick glance down revealed a message marked urgent

she was being asked to call UVA's chief information security officer immediately.

A few minutes later, just outside the Board Room, Evans learned the news that would turn her summer

upside down. Federal authorities had discovered that possible nation-

state actors had access to UVA's systems, and they could only guess at the cyberattackers'intent. During a break, Evans sought out Pat Hogan, UVA'sexecutive vice president and chief operating officer, to inform him of what was going on. Together, they decided that the best course of action was to brief the BOV while its members were still in town. There was no question

that this sudden news could have a dramatic impact on UVA's community at large, and quite possibly on

Evans's

career. There had been many examples in the news of both private- and public-sector CIOs who had

their careers altered by cyberattacks. To manage the remediation effort successfully, Evans felt she needed to

gain the BOV's support, not just financially but organizationally. The following day, that's exactly what she set

out to do.

During a closed meeting on Friday, June 15, 2015, Evans advised the BOV that

UVA's

information systems

had experienced a "major security breach." The BOV responded with a slew of questions: "What are they

after?" "Are our students safe?" "Has any personally identifiable information (PII) been compromised?" While

Evans could answer some of the questions, the answers to most would require a thorough investigation, and a

planned, full remediation of the cyberattack. She promised to keep the BOV informed and report back at the

next meeting. The next few months would be like nothing she had ever experienced

The University of Virginia: A Top-Ranked Public University

UVA was a major public research university and the flagship academic institution for the Commonwealth

of Virginia. Founded in 1819 by the third president of the United States, Thomas Jefferson, UVA was known

for its historic foundations, student-run honor code, and secret societies. Throughout its history, UVA had

won praise for its unique Jeffersonian architecture, with the original design revolving around the Academical

Village and Rotunda

UVA's most recognizable symbol. The United Nations Educational, Scientific and

Cultural Organization (UNESCO) had designated UVA as America's first and only collegiate World Heritage

Site in 1987, an honor shared with

Jefferson's

nearby home, Monticello.

2

Since its founding, UVA had continued its mission to develop future leaders who were well prepared to

shape the future of the nation and the world

a testament to its original governing BOV, which had included

Thomas Jefferson, James Madison, and James Monroe. In 2015, UVA comprised 11 schools in Charlottesville,

Virginia, plus the College at Wise in southwestern Virginia, while offering 48 bachelor's degrees, 94 master's

degrees, 55 doctoral degrees, and a number of other professional degrees. The institution was ranked in the top

two public universities in the nation, accepting only the best students (around 90% of students admitted were

in the top 10% of their high school graduating class) and those who showed the exceptional promise Jefferson

envisioned. Approximately 22,000 students were taught by 2,800 full-time faculty, and were supported by just

over 10,000 full-time staff.

UVA's total annual budget in 2015 was

$3.07 billion. It was interesting to note that despite being a public

university, less than 6% of UVA's operating budget came from the Commonwealth of Virginia. An additional

17% came from tuition and fees, almost 50% from medical patient services, over 10% from research and

development of intellectual property, and roughly 12% from gifts and endowments. Numbers like these

prompted some to call UVA a privately funded public university.

Information Technology Services (ITS)

In addition to its exceptional academic reputation, UVA was known to be a leader in its use of information

technology (IT) within higher education. A central component in

UVA's

use of IT was the ITS organization,

whose mission was to "be a trusted partner and strategic resou

rce to the University community, aligning

technology to advance the

University's

mission."

In 2015, ITS had 240 employees and an operating budget of

3

$50 million.

Evans had served as UVA's CIO since February 2014. In her role, Evans was the leader of

ITS, responsible

for planning and coordinating central IT infrastructure, applications, and support, as well as information

security, policy, and records management. Evans had over 25 years of IT experience, ranging from IT consulting

with Andersen Consulting and independent IT consulting, to over 20 years managing IT at UVA at both the

central and school levels. She held a bachelor's of science with a concentration in accounting from the

University of North Carolina at Chapel Hill and a master's of

science in management information systems from

UVA's

McIntire School of Commerce, where she had also served as an adjunct professor teaching business

process-reengineering classes at the graduate level.

Cyberattacks: A Growing Threat to Companies, Agencies, and Universities

2014 was considered by many experts to be the year of the cybersecurity breach, and 2015 was shaping up

to be even worse. Megabreaches, or breaches where more than one million records were stolen, had become

common in the news. Private-sector companies such as Home Depot and JPMorgan Chase & Co. revealed that

millions of their customer records had been stolen, while Anthem reported that PII had been stolen from 80

million of its health-insurance customers. In the public sector, a cybersecurity breach at the U.S. Office of Personnel Management exposed more than 21 million

citizens'

PII, which included background-check

information (e.g., fingerprints, financial histories, and so on).

Universities were also fast becoming a favorite target of cybercriminals and dangerous state actors

in

large part because of their openness and decentralized nature. In fact, it was estimated that 25% of all security

breaches took place in higher education. Pennsylvania State University (Penn State), Harvard University, Johns

Hopkins University, Rutgers University, and the University of Maryland all suffered security breaches in the

2014

-

15 academic year. Universities could be a prime target because they often had significant research

intellectual property and vast stores of PII and financial information, including payment information from

students and tax information for employees. In 2015, Symantec reported that universities were the third most

popular target for cybercriminals behind health care and retail, with cybercriminals targeting financial assets and

intellectual property, and looking to acquire information that could be used for political motivations.

4

Cyberattacks could be very costly to universities. For example, Penn State spent over $2.85 million to

remediate a data breach in its College of Engineering,

and the University of Maryland's breach, which affected

5

more than 300,000 current and former students, cost the university an estimated $3 million to recover and

mitigate.

6

At the time of the UVA cyberattack, the three most common attack methods were (1) spear phishing, (2)

unpatched systems, and (3) zero-day exploits. Spear phishing had evolved from phishing, which involved

sending millions of e-mails asking the victims to click on a malicious link or download an infected file. Over

the years, criminals had started to select only a few victims in an organization, tailoring the e-mail messages to

these employees, which was known as spear phishing. Spear phishing was an attack on human vulnerabilities

and remained the most popular and effective attack vector. In 2015, on average, criminals sent spear phishing

e-

mails to 18 individuals within an organization they targeted. This tactic made it very difficult for the spam

filters and automated phishing-detection systems to spot spear phishing.

The next typical attack vector was identifying and attacking computer systems that had not been patched

properly. Patches were software updates installed on computers that fixed a known system vulnerability.

Typically, software vendors such as Microsoft, Apple, and Adobe pushed patches on a regular basis. The

amount and variety of software vendors that sent patches often made it difficult to manage all the updates to

the computer systems.

UVA's ITS managed several hundred servers for a variety of workgroups that ran a

myriad of applications and services. Also, there were hundreds of computers used by university employees and

hundreds more in student computer labs that needed to be constantly patched. Further complicating patch

management was the fact that students, staff, faculty, and visitors could connect almost any Internet device to

UVA's network. ITS had very little control over how and when these devices were updated with the latest

security patches.

The last typical vector for attack was zero-day exploits, which were not publicly known and did not have a

patch or workaround available to fix the security hole. The name

"zero day"

came from how many days an

organization had known about the vulnerability. Although rare, zero-day exploits were severe and very difficult

to detect and mitigate. Typically, zero-day exploits were created and used by state actors or very sophisticated

cybercriminals. In 2015, there were only 24 zero-day vulnerabilities reported

The most common way to mitigate all three of these attacks was through a "defense in depth" IT security

model. Defense in depth, or castle defense, was a layered approach originally conceived as a military tactic. The

military defensive system typically used an outer wall to protect its citizens, a castle to protect more important

resources, and a keep to protect the most valuable assets such as the king or queen. In an IT security context,

a similar conceptualization was used, where the most sensitive information was identified and protected by

many layers of systems.

Exhibit 1

shows the primary layers of defense that were in place at UVA at the time

of the attack.

Layer 0, also known as "the kernel," included servers that held the most sensitive university data.

Technological and process defenses were built around this layer so that only a few people and services could

access the data. This protection technique was called hardening. The next layer of protection, Layer 1, included

servers that employees and students could access using their log-in credentials (e.g., username and password),

including e-mail servers, web applications, and so on. The final layer of defense, Layer 2, included all employee

and student devices and local servers that held no sensitive information. In this layer, there was also a segmented

area for research computers used by faculty and scientists at UVA that needed to be accessed from external

organizations. No sensitive information was supposed to reside on these servers, and these servers could not

access the rest of the UVA network. The ultimate goal of the defense-in-depth model was to harden the

perimeter of the network while maintaining a secure kernel, detect unauthorized access to resources, and react

to security incidents as they occurred. In

UVA's

case, the cyberattack had been detected by a federal government

agency that promptly notified

UVA's

chief information security officer, who, in turn, contacted her boss, Evans.

The Rise of the Phoenix Project

When Evans left the BOV meeting, the first thing she did was call Mandiant, an internationally recognized

cybersecurity firm. Coincidentally, she had recently attended a conference where she learned how Mandiant

had helped Penn State navigate its cyberattack, and fortunately, she still had the Mandiant representative's card

in her wa

llet! The second order of business was to get a contract signed with Mandiant, which cleared UVA's

Procurement Office in record time. Evans exclaimed, "Responding as quickly as you can is important because

you

don't know what the attackers are

doing!"

Answer questions

Phoenix case: prepare answers to the following questions:

1. What did Evans do well in the period between first learning of the breach and assembling the Phoenix project team? What could she have done differently/better? 2. Evans and German are now at a point where they have teams formed, an end goal in mind, and a hard deadline - what project management methodology would be best suited to accomplishing the goals of the project in a timely manner? 3. This project is unique in that it required absolute secrecy. What special considerations or project management tactics are necessary when managing a project where confidentiality is of utmost importance?