This time it’s Ohio University
that has discovered that hackers have remotely operated at least three
of their servers for as much as a year or longer.
news is reporting said servers
held the Social Security numbers of 137,000 people and
that the university was unaware of the intrusion until the FBI
notified them (the article does not say how the FBI detected the
intrusion but thank goodness someone was on the job).
As the university says,
functionality must be balanced with security.
However, this does not mean you don’t have any
auditing applications in place to detect intrusions (as seems to be
the case here).
It’s about balance. Absolute
security means absolutely no remote access. This extreme doesn’t work
for most people because the purpose of the server is usually to allow
access to information. If no one can access it, the
server serves no purpose (pun not intended). But. That does not mean
you go to the other extreme and have no security.
In my opinion, there is no
excuse for administrators who do not institute intrusion applications
because these applications, for the most part, do not
impede functionality. They don’t prohibit access by hackers either but
they can detect such access.
It bothers me that
administrators at this university (and others) don’t do the minimum
required to ensure the security of their servers. We have already seen
the transformation of hacking from a teenager trying to get into a
server just for bragging rights to organized crime making it part of
It is long past time that
administrators took this change seriously.