Drury University student hacks Springfield government — but only to improve its security

·4 min read
Neenah schools continue to cope with the aftermath of a Jan. 10 ransomware attack.
Neenah schools continue to cope with the aftermath of a Jan. 10 ransomware attack.

Testing the city's protections against malicious hackers, a Drury cybersecurity student attempted last week to break down the city of Springfield's cyber defenses.

Called a network penetration test, an organization often hires white hat hackers to break into their systems.

During the test, the student attacked the network in the way a malicious hacker would, looking for vulnerabilities allowing a hacker to compromise assets. The student then wrote a report on the findings the city uses to improve its security.

Conducted by a senior as part of their capstone project, this is the second year for the partnership between Drury and the city.

“Drury’s Cyber Risk Management courses prepare students to work in the field protecting networks and we cover both offensive and defensive cyber security techniques,” said Shannon McMurtrey, assistant professor in cyber risk management.

More: Construction begins on Grant Avenue Parkway, road closures near Parkview High over summer

“It’s one thing to talk about these things in the classroom and do exercises, but it’s a whole different scenario when you’re in the real world and dealing with real networks. It’s very useful for the students to get that hands-on experience.”

To protect the integrity of the city's network, not many details can be shared about the test, but Information Systems director Neil Slagle said the penetration test was helpful in ensuring the integrity of their system.

“We felt the testing was thorough and plan to continue this in the future. It is a great example of real-world collaboration to help grow local cyber security skills and for the city to access that talent,” Slagle said.

Speaking to the News-Leader, Slagle confirmed the students were unable to breach the city's most sensitive information.

"We have pretty good security in the city," he said.

Instead, the Drury student was able to hack into several unpatched desktops, laptops, or mobile devices. But those devices exploited in the test were "non-exploitable" by a potential malicious actor.

"So it was good, actually not finding anything is actually really good for us," Slagle said. "In fact, the student told us that he thought he was doing something wrong because they couldn't hack into it."

According to Slagle, cyber security is most critical to prevent any disruption to "life-threatening applications" used by the city's law enforcement.

"If those systems are offline, that could put a police officer at risk. Safety is always a top priority at the city," he said.

The integrity of Springfield's information systems is also paramount to secure personal identifiable information collected through law enforcement data, HIPPA information, or through other sources.

More: Driven by shootings, Springfield's violent crime rate is up in 2022

Slagle called the penetration test a "resounding success" — adding the city is in talks with Drury's Cyber Defense Club to conduct these tests every six months.

"It gives the students a practical experience that they just might not get in a classroom," Slagle said.

"You have a network like the city of Springfield. We got about 2,300 people here and we're in about 130 buildings in the city. And we have technology all over and to have them look at a network of our size, and to be able to see if they can penetrate it — it's very exciting for students."

McMurtrey also serves as faculty advisor for the Drury University Cyber Defense Club, which recently placed in the top 5 percent at the National Cyber League Team Competition.

"Our student organization was formed to allow students to compete in cyber defense competitions around the country and allow for time outside the classroom where students can prepare for the competitions at practices in the same way that the sports teams and e-sports teams do," McMurtrey said.

"We qualified for the regional semi-finals in National Collegiate Cyber Defense Competition out of a nine-state region, led all schools in Missouri and finished third overall."

The cybersecurity curriculum at Drury is split between the college of business and computer science. Graduates of the program go on to work as security analysts, threat analysts, network security engineers, digital forensic analysts, junior penetration tester, and other cyber security roles.

This article originally appeared on Springfield News-Leader: Drury University student hacks Springfield for cyber security test