American University of Beirut's data: how secure is it? [Al-Akhbar (Lebanon)]
(Al-Akhbar (Lebanon) Via Acquire Media NewsEdge) Leaked reports from the American University of Beirut (AUB) exposed serious issues related to its IT environment, and revealed a hidden conflict between the Information Technology Office and the Internal Audit Office regarding management of confidential data.
"AUB's IT environment is insecure," revealed an internal report issued by AUB, which Al-Akhbar was able to obtain recently.
The report, which was supposed to be published months ago, states a summary of the finds by the Faculty Working Group (FWG). The group was formed by AUB President Peter Dorman on May 14, 2013 in order "to review the protocols, policies, and procedures of the university's Information Technology Office (ITO) as they relate to the protection of e-mail databases and archive integrity, including encryption, chain of custody and related matters."
The IT environment at AUB is improperly protected because it seriously lacks the knowledge concerning confidentiality, policies and procedures, as well as the absence of mechanisms to log-on and an awareness of data integrity. The report comes about after the university's Internal Audit Office (IAO) seeked to gain access to a specific mailbox.
"Because the needed mailbox data was stored on an encrypted archival tape, it was not readily accessible," the report stated, adding the entire email database was restored to hard disks.
"Asserting that IT did not possess the needed software tool to extract specific mailboxes from the disks in a form that would allow the establishment of an audit trail, IA[O] took possession of the disks and moved them to the IA[O] office," the report noted.
At this point, the IAO did not approach the IT department to seek a technical solution, rather copied all the database onto two hard disks which were then removed from the IT Data Center. The hard disks remained with individuals from the IAO for three days before being destroyed.
While members from the IT department were invited to attend (the disk-destroying ceremony), they did not as "the disks had no verifiable chain of custody, and could not confirm that the disks being destroyed were the original and only copies of the database."
The FWG was then mandated to follow up on concerns raised by two senior staff members of the IT department in terms of data privacy after news broke in April 2013 of the IAO's activities.
While sources claimed that the two senior staff members were subsequently expelled from the university over these objections, another source stated that the expulsion was related to the IAO's discovery that there were shortcomings in their work, particularly in terms preserving information security and confidentiality.
The leaked report reveals a hidden dispute between the ITO and the IAO concerning the management of the confidentiality of the data. Al-Akhbar tried to get answers regarding this subject from the university's administration, who waited two days before announcing that it will not comment on the content of the report currently in Al-Akhbar's possession.
The university's administration stated that it will soon comment on the issue and publish an official report.
AUB's official report concluded that the IT environment of the university is insecure, and indeed the entire database of the university was copied and transferred from the IT Department. This is a clear violation of the university's policy, privacy rules and the standard protocols that universities around the world follow in carrying out investigations.
The report also notes that the FWG was composed of members of the faculty with the aim of investigating the incident.
Ten interviews were conducted in June 2013 with individuals involved in the data transfer from the IT Office to the Internal Audit Office. Notably, almost all of the interviewees granted permission to be recorded except two - Peter May, vice president of the Legal Affairs Department, and Andrew Cartwright, the university's auditor.
Sources have alluded there are charges against a senior staff member in the university for smuggling the data to Cyprus. It is not yet known whether the team that investigated the incident did a fact finding mission about these charges, but preventing the FWG from recording the interviews with both May and Cartwright raises questions which have thus far remained unanswered.
The report also notes the university's administration refused the request by the FWG to conduct interviews with members of the IT department within the IAO, despite the fact the FWG had already met with Cartwright. Furthermore, the FWG was denied access to relevant documents possessed by the IA office and the Vice President of Legal Affairs.
This has led to the conclusion that the FWG's work is still incomplete and loopholes remain, thereby motivating the university's senior management to insist on keeping the report's findings under wraps.
The report also states that since the beginning of 2013 the IAO had been seeking to gain access to the mailbox database without offering any clarifications for why it seeks to do so, whether in terms of looking into security, criminality, or a request by Lebanese authorities or foreign security services.
The FWG report ends with a set of conclusions and recommendations, notably that the IT environment at AUB is improperly protected because it seriously lacks the knowledge concerning confidentiality, policies and procedures, as well as the absence of mechanisms to log-on and an awareness of data integrity.
The report pointed out that the security measures currently in place that manages and stores communications and emails were insufficient.
According to information obtained by Al-Akhbar, one student within the Department of Engineering successfully hacked into the Audit Bureau's database, but this incident was kept hidden.
In regards to the security and confidentiality of the university's data, the report noted that communication between the IA office, IT office, and upper management lacked clarity, timeliness, and documentation.
It added that the mailbox data needed for the IA's investigations could have been retrieved from disks from the IT Data Center premises while maintaining confidentiality.
"There appears to have been no valid reason for IA to remove the disks from the Data Center," the report said, concluding that "a policy should be developed which disallows removal of data from the IT Data Center without specific justification and authorization."
This article is an edited translation from the Arabic Edition.
(c) 2014 Al-Akhbar. All rights reserved Provided by Syndigate.info, an Albawaba.com company
[ Back To TMCnet.com's Homepage ]