Recent Higher Education Security Incidents

Here are four recent security incidents which were serious enough to require public notification. Thanks to Adam Dodge at Educational Security Incidents.

University of Florida web site contains former student social security numbers

Four Ohio State University breaches in 2010 expose personal information

Virus at Oklahoma State health services center exposes patient information

High Point University misuses student credit card information

BTW, Cymbel is an approved Massachusetts Higher Education Consortium vendor.

Automated Clearing House (ACH) fraud increasing

CSOOnline has a good article on ACH (Automated Clearing House) fraud:

Fraud involving the Automated Clearing House (ACH) Network, which is used by financial institutions to handle direct deposits, checks, bill payments and cash transfers between businesses and individuals, is becoming an increasingly popular way for hackers to siphon money out of the bank accounts of unsuspecting victims.

Fraudsters only need two pieces of information to pull off ACH fraud; a checking account number and a bank routing number. They typically obtain the information with a targeted phishing email that tricks the victim into running malicious software which then allows criminals to install keylogging software and steal bank account passwords.

In order to reduce the risk of this type of exploit, we recommend using a bootable, secure “Trusted Client” on an encrypted USB stick from Becrypt.

American Airlines hard drive stolen

SC Magazine is reporting that a hard drive containing the personal information of 79,000 current and former American Airlines employees was stolen. Not to worry though, the disk was encrypted. What? It wasn’t? Apparently not. “The affected individuals have been notified and offered one year of free credit monitoring services.”

My recommendation, don’t wait for a notification, spend the $100 per year yourself for credit monitoring.

Six database breaches during H1/2010 point to needed controls

Dark Reading posted an overview of six database breaches that occurred during the first half of 2010. All of them resulted from lack of controls covered in the SANS Twenty Critical Security Controls for Effective Cyber Defense, the backbone of Cymbel’s Approach to information security and compliance. Here is a brief explanation of each breach and the SANS Critical Controls that would have prevented or at least detected the breach more quickly:

  1. Arkansas National Guard – 32,000 current and former Guardsmen personal information removed on an external disk drive and subsequently lost.
    • Critical Control #15 – Data Loss Prevention, Subcontrol #6 – encrypt hard drives
    • CC#15 – Data Loss Prevention, Cymbel Extension – Database Activity Monitoring and Control – copying large numbers of database records should generate an alert indicating the who, what, and when of the query.
  2. University of Louisville – database of dialysis patients exposed due to lack of password protection of the web application.
    • CC#7 – Application Software Security, Subcontrol #3 – Test web applications for common security weaknesses.
    • CC#7 – Application Software Security, Subcontrol #6 – Software development personnel receive training on Secure Development Life Cycle.
  3. WellPoint – 470,000 customer records exposed to unauthorized users due to insecure web application code.
    • CC#7 – Application Software Security, Subcontrol #1 – Deploy a Web Application Firewall
    • CC#7 – Application Software Security, Subcontrol #2 – Automated code analysis
    • CC#7 – Application Software Security, Subcontrol #3 – Automated remote web vulnerability scanner
    • CC#15 – Data Loss Prevention, Cymbel Extension – Database Activity Monitoring and Control – anomalous user queries of the database
  4. Virginia Beach Department of Social Services – eight employees and supervisors fired or disciplined for abusing their database access privileges by accessing restricted information about employees, family members, and clients.
    • CC#15 – Data Loss Prevention, Cymbel Extension – Database Activity Monitoring and Control – establish more granular access policies
    • CC#15 – Data Loss Prevention, Cymbel Extension – Database Activity Monitoring and Control – anomalous user queries of the database
  5. Florida International University – 20,000 students and faculty sensitive records exposed on an unauthorized database in an insecure computing environment.
    • CC#1 – Inventory of Authorized and Unauthorized Devices, Subcontrol #1 – Automated asset inventory discovery system
    • CC#2 – Inventory of Authorized and Unauthorized Software, Subcontrol #2 – Automated software discovery system
    • CC#15 – Data Loss Prevention, Cymbel Extension – Network-based User Activity Monitoring – Anomalous database queries
  6. Lincoln National Corp.– 1.2 million customers’ portfolios exposed due to lax password management and frequent credentials sharing. Some passwords had not changed in seven years!
    • CC#8 – Controlled Use of Administrative Privileges, Subcontrol #3 – Change passwords at regular 30, 60, 90 day intervals.
    • CC#8 – Controlled Use of Administrative Privileges, Subcontrol #6 – Administrative accounts should only be used for administrative functions.
    • CC#8 – Controlled Use of Administrative Privileges, Subcontrol #8 – No password reuse within six months.
    • CC#8 – Controlled Use of Administrative Privileges, Subcontrol #11 – Two-factor authentication