The Macrosite for News, Analysis and Opinion about the Future of the Internet
Kim Davis

South Carolina's IT Security Failure Teaches Valuable Lessons

Written by Kim Davis
11/21/2012 21 comments
no ratings
1 saves
DISCUSS     Email This

Governor Nikki R. Haley of South Carolina has been uncommonly honest about the reasons for the recent Department of Revenue hacking incident, which resulted in the theft of almost 400,000 credit card records, and 10 times as many Social Security numbers.

"Could South Carolina have done a better job? Absolutely. We did not do enough," Haley said.

It would be refreshing to hear, just occasionally, similar frankness from enterprises that suffer security breaches and data losses. Specifically, South Carolina's cybersecurity failures included:

  • Insufficient levels of password security, and
  • Not encrypting Social Security numbers.

One might add inadequate training. The hackers gained access through straightforward spear phishing methods, getting state employees to click on malicious links in emails, which in turn permitted programs to access their accounts and steal their login details.

As a detailed audit by the security vendor Mandiant makes clear, the hackers used valid credentials to access a user account, credentials effectively handed over when the user clicked on the malicious email link. Once inside the account, the hackers leveraged the user's access rights to gain access to sensitive files.

Jim Etter, director of the Department of Revenue, has been asked to resign.

The apparent ability to re-set access rights from within an individual account, with no third-party supervision, is clearly questionable. The apparent readiness to click on links in suspect emails is predictable, but dismaying. The failure to encrypt sensitive data is culpable.

There are three lessons to be learned from the South Carolina experience. The first is that perfunctory security just isn't enough, especially for any enterprise or other organization that maintains databases of valuable personal information. Encryption isn't just optional, single passwords are often not enough, and training in security awareness should be mandatory. That's the first lesson, and it should be obvious.

The second lesson is that being open about what happened -- in the case of South Carolina, commissioning and then publishing a third-party audit -- can actually restore confidence rather than undermine it; as long, of course, as action is taken to remedy the flaws.

The final lesson is a painful one, and it's accountability. It seems unlikely that the director of the Department of Revenue had direct operational responsibility for cybersecurity, but he had a responsibility to see that the job was done, and done properly.

Executives need to understand that cybersecurity is no longer just something peripheral to the IT manager's agenda. In this data-driven age, it's crucial.

Related posts:

— Kim Davis Follow me on TwitterVisit my LinkedIn pageFriend me on Facebook, Community Editor, Internet Evolution
DISCUSS     Email This
Current display:       newest comments first       display in chronological order
Page 1 of 3   Next >
Kurtkeys
IQ Crew
Monday December 17, 2012 4:06:19 PM
no ratings

I understand the concept of all individuals responsible. But in this case where the man in charge of training was negligent in his responsibilities and duties all that lower individuals would need to do is denied ever having been  taught  the proper procedures needed for protecting their systems and since the company punished the director it would build their self-defense case.

Respectfully,

Kurt

sarahp
IQ Crew
Friday November 30, 2012 11:56:17 PM
no ratings

I live next to South Carolina and I am shocked by how they allowed this to happen. I shudder to think about all of those poor people who were put in harms way because of this mess. I have no idea on why they did not practice safety first, but I am hoping that those who were responsiblefor this mess will pay the price for this all around nightmare.As for the moral of all of this, encryption is key here for everyone who deals with highly dangerous material or personal data

nimantha.de
IQ Crew
Friday November 30, 2012 3:49:15 AM
no ratings

Good lesson yes but how many will remember it in the long run ? That is the important part.

mtechie
IQ Crew
Tuesday November 27, 2012 8:53:34 AM
no ratings
@WaqasAltaf Thanks. I wasn't quite sure what you were referring to in your earlier comment. This clears it right up!
WaqasAltaf
IQ Crew
Monday November 26, 2012 1:17:18 PM
no ratings

@ mtechie

Oh yes. In case of South Carolina's breach, if the employees are being held accountable for clicking on doubtful mails, then I guess it is unfair to them. It is the IT department whose task was it to block such mails on the server. This is how such a big number can be responsible for the act. Instead the investigators should find out few who were responsible for overall security and oversight.

mtechie
IQ Crew
Sunday November 25, 2012 11:45:16 PM
no ratings
Interesting. You think those affected most can avoid punishment because there were too many of them on the wrong side of compliance?
WaqasAltaf
IQ Crew
Sunday November 25, 2012 11:24:58 PM
no ratings
@ mtechie Definitely. But the number of non-compliers will be so big that not everyone can be fired. The jobs of management level employees may however be reconsidered.
WaqasAltaf
IQ Crew
Sunday November 25, 2012 11:19:30 PM
no ratings
Acceptance of the failure and discussing it out in the open needs to be appreciated for two reasons. One is that merely a press release by any executive of revenue department would have been sufficient. Announcement by governor tells that he realizes the critical nature of information involved and how important data security is. The other reason is that his announcement will help other states and countries realize that we all are lagging behind and it can happen to any of us.
mtechie
IQ Crew
Sunday November 25, 2012 9:24:30 PM
no ratings
Might individual employees still be held accountable?
DavidSilversmith
Thinkernetter
Sunday November 25, 2012 7:32:57 PM
no ratings

I'm torn here.

Kudos for the leader for taking the heat.  But, at the same time, so long as individual employees are not held accountable - what will happen to change their work patterns.

In general (or certainly a much higher rate than online) people have excellent personal security procedures for their wallet and their house and car keys - but they take little care of their account names and passwords.  

Most folks use offline security practices even though they now live in an online world.

 

Page 1 of 3   Next >
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
previous posts from Security Clan Editor's Blog
Kim Davis
Kim Davis   6/18/2013   7 comments
Last week we saw that whistlebower Edward Snowden's claims about a so-called Prism program looked full of holes.
Kim Davis
Kim Davis   6/11/2013   32 comments
Edward Snowden was so convinced that the Prism program involved secretive surveillance through Internet backdoors that he walked out on his job and his girlfriend, spoke to the media, and resigned himself to jail, or worse. It turns out, he might just be wrong.
Kim Davis
Kim Davis   6/5/2013   29 comments
In one of the nastiest -- not to mention large scale and long-term -- hacking exploits yet to be reported, it appears that the Chinese army has been rummaging through the data of those who have served in the US Armed Forces.
Kim Davis
Kim Davis   5/29/2013   17 comments
ASA Risk Consultants added its voice this week to the slowly growing chorus of voices demanding a coordinated international response to cyberattacks. In a research note circulated by IDG, ASA asserts that "nations will need to come to an agreement on how cyber warfare should be handled."
Kim Davis
Kim Davis   5/21/2013   21 comments
Extending existing US wiretap laws to give federal agencies easier backdoor access to Internet communications -- especially real-time P2P services like VoIP -- will give, not only aid and comfort, but also technical assistance, to the country's enemies. Not to mention cyberthieves.
5
of
Mary E. Shacklett
Financial Services Policies Lag Tech Advances
12|4|12   |   2:18   |   6 comments

Regulations haven't kept up with advances in mobile devices and credit cards.
Wisdom of the Big Chair
FBI Turns Attention to Mobile Security
10|30|12   |   3:45   |   8 comments

The FBI recently issued a warning to smartphone users, highlighting two mobile malware applications: Loozfan, which steals personal information, and FinFisher, which is spyware that takes over a smartphone's functions.
Mary E. Shacklett
Law Will Define Next-Gen Privacy
4|25|12   |   1:48   |   7 comments

The plan for unmanned police drones to patrol traffic and other city conditions in Seattle has sparked a new set of legal concerns about privacy. Law traditionally lags technology, but we can expect now to see a new round of activity in the courts as legal definitions begin to emerge on what "next-gen privacy" will look like.
Beau Brendler
Terrorism Expert Says US Gave Away Stuxnet Tech
4|4|12   |   3:29   |   9 comments

US counterterrorism expert Richard Clarke, who came to prominence with his prescient warnings before the 9/11 attacks, tells Smithsonian Magazine the US was responsible for the Stuxnet supersmart worm that attacked parts of nuclear reactors in Iran – and in the process, has given away one of the world's most sophisticated cyberweapons.
Wisdom of the Big Chair
Tax Help Is a Video Conference Away
3|20|12   |   1:48   |   2 comments

Confused about long forms and short forms? Well, this year, face-to-face help may be only a few clicks away. The IRS, as well as tax preparation agencies like TurboTax, have introduced new video conferencing services, designed to make it easier for individuals to get the help they need.
Ann Cavoukian
The Need for Biometric Encryption
11|10|11   |   3:25   |   10 comments

Ontario's information privacy commissioner explains the unintended consequences of facial recognition technology and how biometric encryption can make it safer.
Ann Cavoukian
Privacy Is Everyone's Responsibility
11|1|11   |   4:01   |   17 comments

Ontario's privacy commissioner offers advice to businesses and users for protecting privacy online.
Richard Stiennon
We Need Threat-Based Security Strategies
2|17|11   |   1:58   |   1 comment

It's time to dump risk-based security strategies and focus on threat-based strategies. US government, take heed!
Robert D. Atkinson
Looking for Jobs? Look to IT
4|26|10   |   1:57   |   4 comments

With unemployment close to 10 percent, the mantra in Washington is jobs, jobs, jobs! Unfortunately many policymakers overlook the key role information technology has played, and will likely play, in job creation.
Kim Davis
Big-Data Can’t Always Sell Wine
5|21|13   |   2:23   |   10 comments

Whole Foods Global Wine Purchaser Doug Bell told me about some of the constraints on using analytics in the US wine market.
IETV: the thinkerNet on film
5
of
John Kennedy
How Big-Data Is Changing Marketing
6|13|13   |   1:07   |   1 comment

Big-data and analytics tools enable marketers to understand customers as individuals, identifying unmet needs and addressing each customer as a "segment of one," says John Kennedy, VP corporate marketing, IBM.
Kim Davis
Big-Data Can’t Always Sell Wine
5|21|13   |   2:23   |   10 comments

Whole Foods Global Wine Purchaser Doug Bell told me about some of the constraints on using analytics in the US wine market.
Paul J. Fleuranges
Digital Signage Keeps NYC Subway Straphangers on Track
5|6|13   |   3:51   |   1 comment

New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
Kim Davis
Fast Forward to the Future
4|23|13   |   2:29   |   20 comments

A look back at tech writing in the 90s makes us wonder where enterprise IT will be 20 years from now.
Mitch Wagner
Google Launches Its Most Depressing Service Yet
4|15|13   |   2:59   |   10 comments

Google's new Inactive Account Manager lets you control how Google disposes of your accounts when you die.
Second Shooter
Argument Over Top-Level Domains Is 'Stupid'
4|11|13   |   2:07   |   3 comments

The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
Kim Davis
Ladies, Your Tablet Awaits
3|21|13   |   2:22   |   37 comments

ePad Femme is the world’s first tablet “made exclusively for women.”
Wisdom of the Big Chair
NFC Moves Into the Mainstream
3|20|13   |   2:16   |   No comments

While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Wisdom of the Big Chair
Integrating Security Into Your Cloud Contract
3|19|13   |   3:35   |   No comments

Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Brian Baron
How Edmunds.com Collects Customer Information
3|18|13   |   1:15   |   No comments

Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
2pm EDT
Fri
Jun 21st
an IBM information resource
sponsored content
big blue blog
Todd Watson
Todd Watson   6/18/2013   Post a comment
The IBM Smarter Commerce Global Summit in Monaco kicked into high gear today, and we've already begun to see news emerging from that lovely city-state by the sea.
an IBM information resource
sponsored content
Expert Integrated Systems: Changing the Experience & Economics of IT
In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator.
READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE!
REGISTER HERE
Wanted! Site Moderators
Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?

Please email: moderators@internetevolution.com
Internet Evolution – not for thickies
Taking a Dim View of Home Energy Management Tech
Mary E. Shacklett
Energy consumption is a primary contributor to global warming. At the end of 2012, 40 percent of energy consumption in the US came from commercial and residential buildings.
CLICK FOR MORE
Checklist for a Watertight Cloud Computing Contract
Charlotte Erdmann
Midsize businesses rarely achieve the same standards of security in their own datacenters as professional providers that specialize in delivering these services to organizations.
CLICK FOR MORE
Checklist for a Watertight Cloud Computing Contract
Charlotte Erdmann
Midsize businesses rarely achieve the same standards of security in their own datacenters as professional providers that specialize in delivering these services to organizations.
CLICK FOR MORE
IT's Time for PaaS Is Here
Jeff Kaplan
It was about 10 years ago when a new generation of software-as-a-service (SaaS) alternatives started to gain acceptance and adoption among organizations of all sizes. And it has only been about five years since Amazon Web Services captured the marketplace's attention with Amazon EC2 and Amazon S3, which opened the door to a vast array of infrastructure-as-a-service (IaaS) offerings. Now, the third piece of the cloud computing puzzle is beginning to win over organizations seeking to build their own apps: platform-as-a-service (PaaS).
CLICK FOR MORE
Checklist for a Watertight Cloud Computing Contract
Charlotte Erdmann
Midsize businesses rarely achieve the same standards of security in their own datacenters as professional providers that specialize in delivering these services to organizations.
CLICK FOR MORE
Checklist for a Watertight Cloud Computing Contract
Charlotte Erdmann
Midsize businesses rarely achieve the same standards of security in their own datacenters as professional providers that specialize in delivering these services to organizations.
CLICK FOR MORE
Amazon Revolutionizes Book Publishing
Mansur Hasib
The publishing world has long been controlled by powerful companies with high costs, barriers to access, restrictions on distribution, one-sided copyright ownership contracts, and lengthy delays in getting critical information and knowledge out to a broad audience. In this world it often seemed all but the most famous of authors controlled little while publishers controlled everything. In the academic community, the sad result has been an excessive price increase in the cost of textbooks. Technology is finally empowering authors.
CLICK FOR MORE