Worry About IT Personnel First, Then Worry About Hackers
In late 2014, the Municipal Bond Insurance Association experienced a breach in security when a large amount of customer data was found through a Google search. The UCLA Health System had a similar issue which involved patient communication records. The Pentagon Defense Information Systems Agency had a database with contractor data which was exposed.
The Texas State Department had the personal information of children in Family and Protective Services exposed. The State Court system of Kansas had a data leak which included Social Security numbers and driver’s license information of employees,plaintiffs, and defendants.
See the pattern yet? Let’s add one more piece to the puzzle:they all use a database system made by Oracle. Oracle, in 2012, found a security flaw in their database software, and released a patch which fixed this issue relatively quickly. Now guess how many of the above named entities actually installed that patch. If you said none, you are correct. All of the entities experienced the same issue, with the same symptoms, from the same cause. The cause: poor security plans which were either not executed or not maintained.Meaning, two years later, anyone with an internet connection and Google can find your sensitive data.
How did this happen? Oracle notified their customers of this issue (as they are supposed to) and gave them the solution. You would think it would be a relatively straightforward thing to fix. For the most part, yes it is simple to apply the patch and go along your merry way. However, it is possible for things to go awry when patches are installed. They may be minor glitches or they may be complete shutdowns of an application. It has happened before, but in recent years it has become far less common.
But IT professionals remember these situations. They remember the 20 hours of unpaid overtime they put in to repair a server that ceased to operate because of a software update. They remember the hundreds of calls they or their counterparts fielded when the critical system went down because of a bug. They remember being called into the CEO’s office and being grilled as to why things aren’t working the way they should be working.
Could you blame them for being hesitant to install updates which might create extra work for them? You could, but these people have a hard job,and not one that is truly understood. Does this excuse their actions?Absolutely not. In fact, it is very likely some of those responsible for these IT system breaches were fired, reprimanded, and/or sued. Not wanting to deal with the issue, cost them way more than the ten minutes it would have taken to install the patch.
What’s the moral? Hackers are an issue; there is no doubt about it. But to prevent hackers, you have to stop focusing on external issues,and focus on internal. Reacting to a digital threat is not always a bad route to go and sometimes this is the best course of action. Being proactive could have prevented all those entities from losing data and trust from those they serve. While it is expensive, having an external auditing service come in and evaluate your company can save you millions in the event of a breach.
ABOUT THE AUTHOR: Scott Greene of Evidence Solutions, Inc.
For over 30 years, Scott Greene of Evidence Solutions, Inc. has been helping companies meet the challenges of the swiftly evolving computer technology industry. Scott went to work for IBM. Scott studied Systems Engineering at the University of Arizona. He has since earned certifications in many products and programming languages.
The Evidence Solutions team analyzes data from Computers, Cell Phones, Black Boxes, Dispatch Systems, Medical Records, Email systems and more. Scott then explains the digital evidence in plain English.
Scott’s extensive knowledge draws clients to him from all over the United States as well as Internationally for consulting, Forensics and expert witness services. His extensive and diverse experience allows him to be an expert in many facets of digital and electronic evidence. Scott, a sought after speaker and educator, travels throughout the country sharing his knowledge and presenting to local, regional, national and International organizations.
Copyright Evidence Solutions, Inc.
Disclaimer: While every effort has been made to ensure the accuracy of this publication, it is not intended to provide legal advice as individual situations will differ and should be discussed with an expert and/or lawyer.For specific technical or legal advice on the information provided and related topics, please contact the author.