In FY21, Enterprise Technology & Services (ET&S) Cybersecurity put the University System of New Hampshire’s (USNH) network to the test to assess its integrity and security.
First, ET&S conducted a series of internal and external penetration tests to fully assess the security of USNH systems and help secure all data. Next, it battle-tested a new Incident Response Plan by participating in a four-hour tabletop exercise developed to test Plymouth State University’s (PSU) ability to meet several objectives regarding emergency management.
Penetration Testing
ET&S tested 3,600 systems across USNH, including applications, servers, endpoints, printers, network devices, phones and other devices connected to the network. These tests simulated an internal cyberattack using network credentials and hacking from outside the USNH network.
This risk-based approach helps Cybersecurity eliminate and remediate top risks to the network while assessing and improving upon potential vulnerabilities. Last year’s testing was successful in identifying areas of both strength and vulnerability. ET&S conducts these tests annually to prevent potential cyberattacks and to keep all student, faculty and staff data on the USNH network from being compromised.
Incident Response Plan
Over the last year, ET&S trained internal teams to gain a full understanding of how to react to a cybersecurity incident. This involved a set of policies and procedures to follow in the event of a cybersecurity incident to maintain the confidentiality of data, the integrity of data and availability of information technology systems (aka the CIA triad).
The ET&S Cybersecurity team battle-tested this plan by participating in a tabletop exercise at PSU that included the FBI, law enforcement from the state and local government, PSU President Donald Birx, the PSU Emergency Management Team, PSU Police Chief Steve Temperino, Bill Poirier, the CIO of USNH and UNH, and Tom Nudd, USNH Chief Information Security Officer. Funding for the exercise was provided through a grant from the New Hampshire Department of Homeland Security and Emergency Management. The exercise was facilitated by D. Stafford and Associates, a professional consulting firm specializing in campus safety and security.
The exercise involved a staged cyber intrusion and takeover of University System infrastructure by a terrorist organization and a demand for bitcoin ransom. ET&S was well-prepared for the event and received high marks for its ability to respond to the simulation.
Chief Temperino spoke highly of the exercise.
“This was a very successful and realistic exercise which demonstrated high levels of collaboration and coordination internally between USNH Systems and outside resources,” Temperino said. “The exercise also helped PSU identity areas in need of improvement and updating.”
ET&S will continue to test the integrity and security of USNH systems moving forward, with an overall goal to protect the data of its users and data owned by USNH. It will also continue to update its Incident Response Plan as it learns new information.