There are not a lot of details, but Network World is reporting that the Penn State College Of Engineering took their Internet connection “off the hook”.
Last November Penn State got a visit from the FBI – that visit that everyone hopes that they will never get.
Penn State was the victim of two cyber attacks – according to Mandiant, at least one of them from China.
After the FBI visit, Penn called Mandiant and since then they have been trying to figure out how deep the hooks were in their network and how to get them out. All without letting the Chinese know that they knew.
Fast forward seven months and now they are ready to take action.
They yanked the plug on their Internet connection and have started rebuilding the network and servers.
They anticipate the University network will be down for several days as they rebuild it and put in more controls.
While the network is down, they have put contingency plans in place to allow the faculty, staff and students to get some work done.
The University said there is no “direct evidence” that the attackers stole research data or personally identifiable information such as Social Security Numbers.
Everyone who has an account on the Penn State network will have to change his or her password and anyone who has remote access via a VPN will now have to use two factor authentication.
In a letter posted on the Penn State web site (see letter), the University president said that faculty, staff and students in the College of Engineering (where the attack was centered) will need to learn to work under new and stricter computer security protocols.
In addition, they are launching a bigger review of cyber security University wide.
While Penn State has not revealed how much they have spent over the last six months including fees paid to Mandiant and other consultants, internal staff costs, new equipment, policies, public relations and costs related to the temporary workarounds, I suspect it is in the millions.
I also suspect that the folks at Penn had a lot of sleepless nights during that period.
And while they have said that they don’t think any personal information was taken and they don’t have direct evidence that the attackers stole research, if that is true, why were the hackers there? They weren’t there just to check out the servers in Pennsylvania. If it is true that nothing at all was taken, they are the luckiest people on the planet.
No one can build a 100% hacker proof defense, but the time to do the things that Penn State is doing is before the hackers infiltrate your network. You can do it at a more measured pace and at a lower cost. You have more time to explain to your employees and clients (in this case students) what you are doing and why. You have more time to test what you are doing and see what the impact of the changes are. If you make your network “hacker resistant”, it is likely that the hackers will go elsewhere. The time to act is before you are hacked.