Last week, the director of Utah's Department of Technology Services (DTS) resigned in the wake of a massive data breach that exposed the personal information of nearly 800,000 people to hackers believed to have been in Eastern Europe.
The breach did not happen due to sophisticated malware, however. Instead, a series of configuration mistakes during an upgrade left the server wide open to attackers, who downloaded data from the server March 30.
The incident serves as a reminder of just how costly configuration errors can be for organizations. In the case in Utah, interim DTS director Mark VanOrden told the Deseret News about a series of errors that had exposed the server as the state upgraded its Medicaid Management Information System. The server, he explained, was installed by an independent contractor and was not protected by a firewall during the upgrade. In addition, the server used factory-issued default passwords, which he said is not "routine."
"Two, three or four mistakes were made," VanOrden was quoted as saying. "Ninety-nine percent of the state's data is behind two firewalls, this information was not. It was not encrypted and it did not have hardened passwords."
Organizations seem to struggle with defining management security objectives such as the change control policy for high-value assets, actually implementing those objectives in practice, monitoring the environment for compliance, detecting deviations and responding effectively when something unusual occurs, said Scott Crawford, research director at Enterprise Management Associates.
"Lack of identifying high-value assets and prioritizing monitoring and control in those environments often contributes to exposures," he said. "Finer control over access privileges--implicated directly in the Utah case--is one example where such control can and should be scrutinized more carefully and more consistently enforced."
Poor controls over browsers are another example, he added, noting that many of today s browsers enable sandboxing, validate code and provide other techniques to limit exposures.
"Many organizations find it difficult to keep such issues current, particularly with large numbers of widely distributed endpoints," he said.
This article was originally published on 05-22-2012