Pratum Blog

If you’re one of the 145 million eBay users who was notified to change your password after a security breach was discovered, raise your hand. If you were affected by the Target breach, raise your hand. Michaels breach?  The hack on Iowa State University? The University of Northern Iowa’s information security breach?

I think you’re starting to see the trend here. Iowans typically think of themselves as living in a safe community. Even the capital city of Des Moines has low crime rates when compared to many other areas of the country. I still know people who don’t lock their doors or leave keys to the car on the seat with absolutely no thought that they’ll be a victim of crime.

This relatively safe physical environment doesn’t translate well into the online world. We’re just as susceptible to cybercrime as those living anywhere in the world. Midwesterners are a trusting group as a whole. This needs to change when placing your personal information in the hands of others. Systems are being hacked every day. You can’t prevent it, but you can limit the effect by only providing the minimal amount of information required to complete a transaction.  

Ask questions and be skeptical. Nobody is going to protect your data like you will. I know it’s hard for trusting folks, but times are changing.

eBay has a long history of taking information security seriously. In 2003 they hired Howard Schmidt as their CISO. Mr. Schmidt is considered to be one of the leading authorities on cyber security. He led Microsoft’s effort and served as the head of cyber security for both President George W. Bush and President Barak Obama.

I have no doubt that Ebay has a very robust and mature information security program. Still, they were hacked. You can read their statement here. Is this the new norm? Are we becoming numb to the events? It’s like living in another part of the world where physical violence is a part of everyday life. Do we simply learn to deal with it

I don’t think that’s the answer. When organizations that take security seriously are breached on a regular basis, something needs to change. The way we do business; the way we store data; the expectations we have on data custodians; the punishment we hand down for criminals. Something. Everything. Change is needed.

Iowa State University reported an information security breach yesterday. Officials stated that 5 network attached storage (NAS) devices were hacked. These devices were departmental devices and used to store social security numbers for students who took certain courses between 1995 and 2012. You can find out if you are impacted at this link.

I’ve read through the official statement and there are two issues which are concerning to me. The first issue is why the individual departments had a need for student social security numbers. SSN has not been allowed as an identifier by most colleges in Iowa for over two decades. The student ID number replaced the SSN. I was a CIO at a community college in Iowa more than 10 years ago and the SSN was not used as an identifier. What was the purpose of the initial request for these social security numbers and why was it stored for so long?

The second concern I have is in the details of the “What’s being done to secure information” section of the statement. “Other servers of the same type are no longer accessible through the internet, have received software updates to prevent hacking, and will be replaced as soon as possible.” Why on earth would any of these NAS devices be accessible to the internet? Your long term storage, databases and data warehouses should always be on an internally secured network segment. Even traffic from other internal security zones should be restricted from accessing these systems except as explicitly required to maintain functionality.

I can only assume that these devices were being managed by departmental staff and not the enterprise IT group. Distributed IT administration is simply an outdated model that cannot be allowed to continue. In most organizations, there is no way to ensure the skillsets are available to protect the confidentiality, integrity and availability of such critical data in the distributed environment. I know all the arguments for the distributed model. Flexibility, speed, closer to the business, etc. I get it, but the job is now for the modern CIO to figure out how to provide the business with the flexibility and speed they see with the distributed models, with the information security that is gained in the centralized model.

This breach should not have happened. The SSN should never have been kept on a departmental drive, the system should not have been directly accessible from the internet and the data should have been purged when no longer needed. All basic information security techniques.  When the basics are missing, information security breaches are inevitable.

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.