Governor Nikki R. Haley of South Carolina has been uncommonly honest about the reasons for the recent Department of Revenue hacking incident, which resulted in the theft of almost 400,000 credit card records, and 10 times as many Social Security numbers.
"Could South Carolina have done a better job? Absolutely. We did not do enough," Haley said.
It would be refreshing to hear, just occasionally, similar frankness from enterprises that suffer security breaches and data losses. Specifically, South Carolina's cybersecurity failures included:
Insufficient levels of password security, and
Not encrypting Social Security numbers.
One might add inadequate training. The hackers gained access through straightforward spear phishing methods, getting state employees to click on malicious links in emails, which in turn permitted programs to access their accounts and steal their login details.
As a detailed audit by the security vendor Mandiant makes clear, the hackers used valid credentials to access a user account, credentials effectively handed over when the user clicked on the malicious email link. Once inside the account, the hackers leveraged the user's access rights to gain access to sensitive files.
Jim Etter, director of the Department of Revenue, has been asked to resign.
The apparent ability to re-set access rights from within an individual account, with no third-party supervision, is clearly questionable. The apparent readiness to click on links in suspect emails is predictable, but dismaying. The failure to encrypt sensitive data is culpable.
There are three lessons to be learned from the South Carolina experience. The first is that perfunctory security just isn't enough, especially for any enterprise or other organization that maintains databases of valuable personal information. Encryption isn't just optional, single passwords are often not enough, and training in security awareness should be mandatory. That's the first lesson, and it should be obvious.
The second lesson is that being open about what happened -- in the case of South Carolina, commissioning and then publishing a third-party audit -- can actually restore confidence rather than undermine it; as long, of course, as action is taken to remedy the flaws.
The final lesson is a painful one, and it's accountability. It seems unlikely that the director of the Department of Revenue had direct operational responsibility for cybersecurity, but he had a responsibility to see that the job was done, and done properly.
Executives need to understand that cybersecurity is no longer just something peripheral to the IT manager's agenda. In this data-driven age, it's crucial.
It is refreshing to see officials admit error and take responsibilty for errors and omissions. I wonder how the department heads will be affected and how many scape goats will be found to place blame upon in the situation.
How often do the officials admit their mistakes in the States, I am wondering, because in Russia, they never do this.They are extremly talented in fiding a guilty one.
indeed by accepting your mistakes and accepting your own flaws you make it easier for yourself and your organization to earn back its lost reputation. The resignation of the Director, i hope, will result in some positive changes for the South Carolina's IT Security. They should recover from their flaws and do changes in their systems as soon as possible by increasing the security and hiring more IT professionals who are working in advance security ideas to keep their data secure.
And how interesting is it that every post so far reacts positively to the Gov rather than going down the all too familiar path of Deny Deny At All Costs instead takes to the great state of SC will eat humble pie with some crow thrown in for good measure.
You would think that the main thrust of Kim's blog was the Governor's reaction to the security breach. And I thought political posturing ended a couple of wks ago.
Do you seriously think this will teach lessons for users related to security issues ? I do not think so since if they were to learn there were so many big incidents than this in the past but still the valunerability towards security and personal data is rising daily.
Make no mistake about it: the Director was the scapegoat. Everybody else gets to keep their jobs, and he's out on the street, and with that well-publicized failure tied to his name to boot. They should have cleaned house while they were at it, and assured that those who failed to encrypt, those who allowed single-party changes to access levels, and those who allowed inadequate training to continue were all removed (and preferably nailed to the barn door as a warning to others). Falling on your sword is very noble, but not exactly fair. Let's ignore the bowing and scraping, and concentrate on what's being done to fix the barn door, now that the horse has gotten out.
"Encryption isn't just optional, single passwords are often not enough, and training in security awareness should be mandatory. That's the first lesson, and it should be obvious."
I agree it should be,but are you sure we will be secure enough then? I don't think so!
Just as we have find its solution and have started encrypting our sensitive data to avoid uneasiness, in the same way Hackers will soon find its way out too,thus if we really want to be protected we must have to keep pace with the hackers' growing abilities.
I agree with this statement. It's great to see a leader take responsibility for this, although I have a hard time believing that it was really his fault. Sure, he was the person who was in charge of things, but how much do you think that this guy actually knows about IT security? It's not his expertise. The problem here is that the person whose job it was to take care of things like this obviously dropped the ball big time. Time to clear house.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Edward Snowden was so convinced that the Prism program involved secretive surveillance through Internet backdoors that he walked out on his job and his girlfriend, spoke to the media, and resigned himself to jail, or worse. It turns out, he might just be wrong.
In one of the nastiest -- not to mention large scale and long-term -- hacking exploits yet to be reported, it appears that the Chinese army has been rummaging through the data of those who have served in the US Armed Forces.
ASA Risk Consultants added its voice this week to the slowly growing chorus of voices demanding a coordinated international response to cyberattacks. In a research note circulated by IDG, ASA asserts that "nations will need to come to an agreement on how cyber warfare should be handled."
Extending existing US wiretap laws to give federal agencies easier backdoor access to Internet communications -- especially real-time P2P services like VoIP -- will give, not only aid and comfort, but also technical assistance, to the country's enemies. Not to mention cyberthieves.
The FBI recently issued a warning to smartphone users, highlighting two mobile malware applications: Loozfan, which steals personal information, and FinFisher, which is spyware that takes over a smartphone's functions.
The plan for unmanned police drones to patrol traffic and other city conditions in Seattle has sparked a new set of legal concerns about privacy. Law traditionally lags technology, but we can expect now to see a new round of activity in the courts as legal definitions begin to emerge on what "next-gen privacy" will look like.
US counterterrorism expert Richard Clarke, who came to prominence with his prescient warnings before the 9/11 attacks, tells Smithsonian Magazine the US was responsible for the Stuxnet supersmart worm that attacked parts of nuclear reactors in Iran – and in the process, has given away one of the world's most sophisticated cyberweapons.
Confused about long forms and short forms? Well, this year, face-to-face help may be only a few clicks away. The IRS, as well as tax preparation agencies like TurboTax, have introduced new video conferencing services, designed to make it easier for individuals to get the help they need.
Ontario's information privacy commissioner explains the unintended consequences of facial recognition technology and how biometric encryption can make it safer.
With unemployment close to 10 percent, the mantra in Washington is jobs, jobs, jobs! Unfortunately many policymakers overlook the key role information technology has played, and will likely play, in job creation.
Big-data and analytics tools enable marketers to understand customers as individuals, identifying unmet needs and addressing each customer as a "segment of one," says John Kennedy, VP corporate marketing, IBM.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The IBM Smarter Commerce Global Summit in Monaco kicked into high gear today, and we've already begun to see news emerging from that lovely city-state by the sea.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
Email This
