Anybody who carries out a deliberate cyberattack on an organization is committing a crime. Just as there can be no well-meaning robberies, there is no such thing as a positive breach on enterprise security. That said, sometimes it is only after organizations are attacked that they begin developing the rigorous security infrastructure — including strong authentication — necessary to keep malicious forces out.
In a recent and widely reported story, the University of Maryland was attacked by a data breach in February that exposed private information for nearly 300,000 people, according to The Diamondback. The breach resulted in negative press for the university, and ultimately led the college’s president Walter Loh to testify before Congress at a committee hearing where Entrust was also present.
But according to a former contractor for the university, David Helkowski, the university did not take the proper preventive measures in the wake of the huge attack, and he suspected that their internal infrastructure remained highly vulnerable. And so he did some off-the-clock investigative work of his own, testing the strength of the university’s systems from his home. What he discovered was a system just waiting to be attacked.
“If I had actually gone on and used what I call malicious exploits, which are things used to damage a system, I could have gained full-fledged access to their systems, potentially to their entire network,” he said.
When Helkowski’s calls to the university went unreturned, he said he did the next best proactive measure to draw attention to the system’s weakness: He posted information from the university’s administrative system on Reddit.
Legal Action Being Taken Against Helkowski
Helkowski said he maliciously accessed data in order to expose a weakness. In his mind, he was being helpful. In the eyes of the law, though, he is a criminal — and is to be treated as such. According to The Baltimore Sun, Helkowski was in for a rude awakening when the FBI stormed his house, searching for any incriminating material. But they did not have to look far: Helkowski was open about having hacked the system, and painted himself as a whistle-blower doing a dubious civic duty.
“I had to do it because if I did not do that, they wouldn’t have acknowledged the seriousness of the problem,” he said.
For Helkowski, committing a criminal act was justifiable to expose what he saw as an inexcusable weakness in the infrastructure of his (now former) employer. According to him, the university had a batch of code on its website that made it extremely easy for criminals to breach. When he called on the university to change it, Helkowski said his warnings went unheeded.
According to University President, Changes are Being Made
For its part, the University of Maryland is not sitting around waiting for another breach to happen, according to its president, Wallace D. Loh. Testifying before the Senate Committee on Commerce, Science and Transportation, Loh said that the school is taking stringent measures to prevent another attack from happening.
“The university IT staff with the support of outside consultants are working virtually non-stop to protect better the vast information systems in our network that are accessible to students, faculty, staff and others.”
These preventive measures include a comprehensive evaluation of the school’s security infrastructure and a commitment to making changes as necessary.
For all enterprises, a large part of defending against cyber threats is making sure the company’s identity is sealed off. This can be accomplished through better authentication strategies, which function to keep malicious forces at bay, and only allow the right people into the database.