Monday, March 10, 2014

Fundamental lessons learned from recent data breaches

Higher Education has seen its fair share of data breaches recently. This past week, the University of Maryland, Indiana University, the University of North Dakota, and Johns Hopkins University announced breaches.

The good news is that, slowly, breach notifications are starting to become a little more informative, which provides us with good opportunities to reflect on our own infrastructure.

Such reflection doesn't have to take forever, or lead to bulky reports. For example:

University of Maryland: Full compromise of a system used to manage ID cards and data exfiltration of PII. Root cause of impact of the breach: Excessive proliferation of private information.

University of Indiana: Web server was reconfigured to lower its security posture, while PII was posted. Root cause: Insufficient change management in production configurations and lack of awareness with regards to the location of PII.

University of North Dakota: Unauthorized access to an account with privileged access. Unknown how access was obtained. Root cause: weak authentication and possibly insufficient access control.

Johns Hopkins University: A coding error in a public-facing website allowed access to a back-end database. Root cause: insufficient coding standards (or executive of such standards), excessive access to back-end database,  combined with lack of active vulnerability scanning.

From these four breaches, we can learn a few higher level lessons:
  • Identify and limit data collection and proliferation to necessity, rather than convenience.
  • Actively manage vulnerabilities, both in terms of detection as well as in terms of remediation.
  • Implement strong authentication, including password recovery protocols.
  • Implement strong access control.
  • Implement strong audit trails.
  • Develop and implement hardened configurations and manage changes.
With all of this, it is imperative that higher management is informed transparently and fully. Make sure that you are not the highest person in the hierarchy who realizes what risks exist, what the likelihood of exploitation is, and what the impact would be.

Looking back at our own environment, we can identify where we are lacking, and then plan a path to improve how we identify and manage risks. Subsequently, we can work to obtain funding and buy-in, and get to work.

1 comment:

  1. Small mistakes can lead to big security issues. Like what happened with Johns Hopkins, a few lines of code that are amiss expose private data to the world at large.

    ReplyDelete

All comments to this blog will be moderated by the author. Note that there is a difference between moderation and censoring. As long as the comment has some value, even if it doesn't disagree with what I wrote, I will let it through. The moderation feature is only there to eliminate spam and ward off trolls and "me too" content.