Howard Solomon @howarditwc
Published: January 9th, 2019
When consumers type their names into a search engine they want to know how much personal information is available about them is on the public Internet.
What they shouldn’t find is private information a trusted organization is supposed to protect.
So a U.S. woman was stunned recently when she Googled her name and up popped an image of her driver’s licence. She’d submitted the scanned image of her licence for an Atlanta-area school board after applying to be a substitute teacher.
Following a link on the photo, it went to an open file that had many other personal identity documents that had been filed by applicants. Those documents — including images of passports — could easily have been used to create phony identities.
The school board stored those images in a folder on a secure server. However, on Dec. 22 until the district’s cloud-based web server crashed due to a vendor-related event. It was restored on Dec. 24, but according to a Jan.4 news report the crash had corrupted security software, leaving the data unprotected.
It wasn’t fixed until a TV reporter who the woman called notified the school board.
It’s an example of how IT teams not only have to think things through but also not rush, says a veteran penetration tester who looks for holes in enterprises. Misconfiguring systems “is one of the main reasons why I break into companies,” said Terry Cutler, vice-president of cyber security at Montreal-based Sirco Group.
“I think these guys [at the school district] panicked and did whatever they could to rebuild the server and put it back online as soon as possible. So they misconfigured the system.”
“Those guys obviously didn’t do their audit. Had they run a vulnerability scan they would have found it. A scan would have picked it up as critical. Even if they had done an advanced Google search and typed in “site:” and the name of the [district] web site it would show every web site linked, and it would have shown up.”
The lesson is IT must have processes for staff to follow when restoring any server knocked online to ensure pre-incident security is restored.
The U.S. National Institute for Standards and Technology (NIST) Cybersecurity Framework outlines five functions CISOs should follow to create a mature cyber security program. One of them is Respond, which urges IT leaders to create processes to oversee response and restoration of service.
Sometimes these processes are called playbooks, detailed instructions on how to respond to a variety of expected issues. Playbooks first identify an organization’s assets, weaknesses, expected threats and how to respond to a range of problems. Experts also say playbooks must be tested to make sure they are relevant, and that they work.