Drury University student attempts to hack city of Springfield in cybersecurity partnership

SPRINGFIELD, Mo. (KY3) - Drury University partnered with the city of Springfield to ensure its network is guarded against malicious hackers.

The process is called a network penetration test, and it’s when an organization hires white hat hackers to break into their systems.

This is the second year of the partnership between the city and the university. The test is conducted by a senior as part of their capstone project, and a faculty member oversees the process. During the test, the student attacks the network in the way that a malicious hacker would, looking for vulnerabilities that would allow a hacker to compromise assets. The student then writes a report on the findings, and the city uses that to improve its security.

Director of information systems for Springfield Neil Slagle says the idea behind that network penetration test is to reveal any issues.

There’s one test done externally from the city’s system. Slagle says the city then gave the student access to the internal part of the system to see what may be vulnerable to a cybersecurity attack.

”We had just a few things that he thinks that we should’ve concentrated on, but for the most part, he said that we had a pretty tight network,” Slagle says.

Springfield leaders are making the necessary changes to make the systems more secure.

“These exploits come out throughout the year,” Slagle says. “Patches take time to come out from some of the different manufacturers, and as soon as those patches come out, that’s when we take those, and we’ll patch those systems, so it’s just an ongoing process. We’re actually fixing the code within the particular networking device so that device is practically hackproof.”

Assistant professor in cyber risk management at Drury University Shannon McMurtrey oversees the student in charge of attacking the city’s network system.

McMurtrey says the rise of ransomware has put pressure on organizations to keep upgrading security constantly.

“There’s no such thing as perfect security,” McMurtrey says. “Security is not a destination. It’s a journey. So you’re never at a point where you can stamp it 100% secure.”

“Drury’s Cyber Risk Management courses prepare students to work in the field protecting networks, and we cover both offensive and defensive cyber security techniques,” McMurtrey says. “It’s one thing to talk about these things in the classroom and do exercises, but it’s a whole different scenario when you’re in the real world and dealing with real networks. It’s very useful for the students to get that hands-on experience.”

The goal is to not only keep this partnership a yearly thing but also to expand it.

McMurtrey says he hopes to include other types of cybersecurity, like social engineering.

“Instead of trying to hack computers, we hack people,” McMurtrey says. “You might call a customer service help desk and convince them that you’re working in tech services for the city and you need them to put in this address and visit this URL, and you basically are trying to trick people. If they fall for that, that again can introduce risk.”

It’s not just big organizations that can fall victim to this. McMurtrey says small businesses and people can too.

“They may have intellectual property that is kind of the heartbeat of their organization,” McMurtrey says. “Having good cyber hygiene, just good passwords, two-factor authentication, using a firewall. There are some basics that small businesses can and should be doing.”

McMurtrey says that if the password can fit in your head, it’s not a great password when it comes to having a solid password.

“Especially if you’re re-using it on more than one account,” McMurtrey says. “We really need to have very unique, long passwords that we use for every account.”

Even more critical than the password is making sure two-factor authentication is turned on.

“So that even after you put in the password, it asks for a code from your authentication app or something that’s sent to you through text or some other means so that even if somebody has your password, they still don’t have access to your account,” McMurtrey says.

The Missouri Cybersecurity Center of Excellence outlines the framework for the partnership, a 501(c)(3) formed to advance workforce development and training in cybersecurity. The MCCoE also provides internships and employment opportunities for students studying cybersecurity.

“The City is very excited to have partnered with the MCCOE and Drury University to have conducted our City network penetration testing,” Slagle says. “We felt the testing was thorough and plan to continue this in the future. It is a great example of real-world collaboration to help grow local cybersecurity skills and for the city to access that talent,”

McMurtrey also serves as faculty advisor for the Drury University Cyber Defense Club, which recently placed in the top 5% of the nation at the National Cyber League Team Competition.

To report a correction or typo, please email digitalnews@ky3.com

Copyright 2022 KY3. All rights reserved.