The good news is that, slowly, breach notifications are starting to become a little more informative, which provides us with good opportunities to reflect on our own infrastructure.
Such reflection doesn't have to take forever, or lead to bulky reports. For example:
University of Maryland: Full compromise of a system used to manage ID cards and data exfiltration of PII. Root cause of impact of the breach: Excessive proliferation of private information.
University of Indiana: Web server was reconfigured to lower its security posture, while PII was posted. Root cause: Insufficient change management in production configurations and lack of awareness with regards to the location of PII.
University of North Dakota: Unauthorized access to an account with privileged access. Unknown how access was obtained. Root cause: weak authentication and possibly insufficient access control.
Johns Hopkins University: A coding error in a public-facing website allowed access to a back-end database. Root cause: insufficient coding standards (or executive of such standards), excessive access to back-end database, combined with lack of active vulnerability scanning.
- Identify and limit data collection and proliferation to necessity, rather than convenience.
- Actively manage vulnerabilities, both in terms of detection as well as in terms of remediation.
- Implement strong authentication, including password recovery protocols.
- Implement strong access control.
- Implement strong audit trails.
- Develop and implement hardened configurations and manage changes.
Looking back at our own environment, we can identify where we are lacking, and then plan a path to improve how we identify and manage risks. Subsequently, we can work to obtain funding and buy-in, and get to work.
July 6, 2015: Disabled comments for this post due to excessive spam submissions