On Nov. 18 2016, Michigan State University (MSU) reported that a database – which contained approximately 400,000 records including names, social security numbers and MSU identification numbers of current and former students and employees – was targeted by hackers resulting in a data breach.
The university acknowledged that “449 records were confirmed to be accessed by the unauthorized party, and that the affected database was taken offline within 24 hours of the unauthorized access”.
According to securityaffairs.co, this is the second time MSU has been breached this year. The first time was in October, when a hacker scanning some websites discovered an SQL injection vulnerability and used it to extract user data, including “user”, names, logins, phone numbers, emails and encrypted passwords. As a proof of the hack, the attackers published the records on a text sharing site. Confirmed breaches also occured in 2012 and 2013.
MSU is providing credit monitoring and ID theft services not only to those whose personal information was confirmed to be accessed, but to all individuals that may have been impacted by the breach.
What’s positive about it?
As organizations are being forced to report security incidents and breaches, we raise awareness. Organizations of all sizes and in all industries are being breached, and it is important that business leaders can see that data breaches are also a real threat to their organizations.
Legislation about data privacy is also imposing strict rules on how organizations must inform and support victims of data leakage to mitigate the impact associated with the misuse of such data. This means that the costs associated with incidents and breaches are becoming more evident for organizations and business leaders.
What’s not so positive about it?
News on breaches make headlines and create awareness, but are also easily forgotten. It is a simple equation: a known brand associated with a data breach = NEWS! But we still do not see many organizations accounting for the sequence of events that led to reported data breaches, and that means it is still difficult for business leaders to understand the full scope of a strategy to protect systems and data.
If we look at the well documented investigation into a breach that occurred in the US Department of Energy in 2012, we can see that a complex sequence of events involving multiple business areas within the department and multiple systems created the conditions for a large data breach. The disclosure of the investigation portrays what is a very common finding in other breach investigations: hackers enter systems and escalate privileges most commonly by fooling users and by exploiting known vulnerabilities, which are plentiful in organizations of all sizes and across industries.
By paying attention to the findings of breach investigations, it becomes clear that organizations need to understand that secure systems and data depend on a multi-layered approach to security, and that it is not possible for security teams to identify and stop breaches if there are too many holes to be surveilled. It is the same as expecting guards to avoid prisoners escaping from a prison with no locked cells, no barriers and no gates.
Many organizations are investing big bucks in “security” technologies, but neglecting the basic processes – especially those not directly associated with security – that strengthen systems, protect data and ultimately enable having less “noise” to identify and stop breaches.
This is the case of patch management. Most people in IT know that patches can be critical for security. Yet, organizations continue to focus on expedient patching, rather than prioritization of security patches.
While business leaders will not gather their organizations around building a strong and resilient business where security is a consideration of all divisions across the business and supported as a measure of success, the big headlines on breaches will continue to be what they are today: yet another data breach, yet another story to forget!