But the rest of guys out there can learn from this, and make sure....Don't Let this Happen to You!
The following is from
Don’t let this happen to you!
Security not a priority, OU computer system audit finds
Friday, June 23, 2006
Plain Dealer Reporter
Athens - An audit of Ohio University's computer system has found that security was not a priority and that lack of communication between computer and network services departments contributed to several computer breaches.
Since April, the university has discovered five such breaches involving theft of the personal information of about 367,000 people. The stolen material included names, Social Security numbers and medical information.
The university has computer services and communication network services departments that have not worked well together, the audit found. The audit report was released Thursday.
"Going back over 10 years, CS and CNS have traditionally worked autonomously and have not teamed together in a cooperative, collaborative environment. This has led to a quasi combative culture between two key groups who should have been working together," the audit says.
Roderick McDavis, OU's president, said he is "angry and embarrassed" by the computer breaches. "We are committed to fixing the problem," he said.
The university has made some changes since the audit was completed.
That includes suspending the director of communication network services and the manager of Internet and systems. In addition, the central information technology organization, which includes computer services and communication network services, is being restructured and three individuals who were placed on administrative leave will return to work because they were cleared of wrongdoing.
The university commissioned the audit by Illinois-based Moran Technology Consulting after the first breaches were discovered.
The audit also found:
• Understaffing of information technology personnel,
• Under skilled staff
• Undefined information technology roles and responsibilities.
During interviews conducted by Moran Technology, staff members expressed frustration that communication network services and computer services management did not give enough priority to security in the planning, design, implementation and management of the university's information technology infrastructure.
"Many people commented that when new security ideas from various staff were discussed, their input was frequently ignored and sometimes ridiculed by CNS management," the report says.
The staff also told Moran that many employees only had on-the-job training. Many of the computer services staff members involved with managing the Windows server formerly worked in janitorial and help-desk positions.
In addition, the audit found that when computer services asked communication network services for information to diagnose performance or security problems, their requests were rejected.
If computer services and communication network services had worked together, the university "may have benefited from a more robust network monitoring facility," the report says.
To reach this Plain Dealer reporter:
"hackers are like jedi, crackers are like the sith: do not fall prey to the dark side".
From 1337 h4x0r h4ndb00k: "the ten laws of geek", law x