Fundamental lessons learned from recent data breaches
Higher Education has seen its fair share of data breaches recently. This past week, the University of Maryland, Indiana University, the University of North Dakota, and Johns Hopkins University announced breaches.
The good news is that, slowly, breach notifications are starting to become a little more informative, which provides us with good opportunities to reflect on our own infrastructure.
Such reflection doesn't have to take forever, or lead to bulky reports. For example:
University of Maryland: Full compromise of a system used to manage ID cards and data exfiltration of PII. Root cause of impact of the breach: Excessive proliferation of private information.
University of Indiana: Web server was reconfigured to lower its security posture, while PII was posted. Root cause: Insufficient change management in production configurations and lack of awareness with regards to the location of PII.
University of North Dakota: Unauthorized access to an account with privileged access. Unknown how access was obtained. Root cause: weak authentication and possibly insufficient access control.
Johns Hopkins University: A coding error in a public-facing website allowed access to a back-end database. Root cause: insufficient coding standards (or executive of such standards), excessive access to back-end database, combined with lack of active vulnerability scanning.
From these four breaches, we can learn a few higher level lessons:
The good news is that, slowly, breach notifications are starting to become a little more informative, which provides us with good opportunities to reflect on our own infrastructure.
Such reflection doesn't have to take forever, or lead to bulky reports. For example:
University of Maryland: Full compromise of a system used to manage ID cards and data exfiltration of PII. Root cause of impact of the breach: Excessive proliferation of private information.
University of Indiana: Web server was reconfigured to lower its security posture, while PII was posted. Root cause: Insufficient change management in production configurations and lack of awareness with regards to the location of PII.
University of North Dakota: Unauthorized access to an account with privileged access. Unknown how access was obtained. Root cause: weak authentication and possibly insufficient access control.
Johns Hopkins University: A coding error in a public-facing website allowed access to a back-end database. Root cause: insufficient coding standards (or executive of such standards), excessive access to back-end database, combined with lack of active vulnerability scanning.
- Identify and limit data collection and proliferation to necessity, rather than convenience.
- Actively manage vulnerabilities, both in terms of detection as well as in terms of remediation.
- Implement strong authentication, including password recovery protocols.
- Implement strong access control.
- Implement strong audit trails.
- Develop and implement hardened configurations and manage changes.
With all of this, it is imperative that higher management is informed transparently and fully. Make sure that you are not the highest person in the hierarchy who realizes what risks exist, what the likelihood of exploitation is, and what the impact would be.
Looking back at our own environment, we can identify where we are lacking, and then plan a path to improve how we identify and manage risks. Subsequently, we can work to obtain funding and buy-in, and get to work.
July 6, 2015: Disabled comments for this post due to excessive spam submissions
Looking back at our own environment, we can identify where we are lacking, and then plan a path to improve how we identify and manage risks. Subsequently, we can work to obtain funding and buy-in, and get to work.
July 6, 2015: Disabled comments for this post due to excessive spam submissions