It has recently come to light that a rather large data breach, involving the personally identifiable information (PII) of a million or so US citizens, including approximately 160,000 Social Security Numbers, was perpetrated against the Washington State court system.
Though the attack is believed to have been through the exploit of a vulnerability in Adobe’s ColdFusion application server, and it would be easy to continue to beat up Adobe about their seeming inability to develop secure code, what I find more damning is the amount of time that is believed to have passed between the initial attack and its discovery and remediation.
According to the information the Courts have released, they believe that two related breaches occurred “sometime after September,” and wasn’t discovered until February and March, respectively. This is obvious speculation on my part, but the “sometime after September” suggests to me that what they mean is “we’re not really sure…probably around September.” That’s about 4-5 months between breach and discovery (with remediation ongoing, even now).
If you know me, you know that one of my favorite things to say regarding the mindset of so many in government and private industry is that compliance is NOT security…it’s a good step in the right direction, but it most certainly is not the be all and end all. That being said, one of the requirements of PCI DSS and a few other regulations our customers are subject to, is the regular (if not daily) review of logs…and it’s a darn good one.
Had the Courts been reviewing their logs, how much sooner may they have detected this attack? Soon enough to stop it before any data was actually compromised? Soon enough to see the signs of the reconnaissance performed prior to the attack? Unfortunately, we’ll never know now.
This isn’t going to solve everything, but regular log review will give you a much better fighting chance at discovering problems earlier, thus enabling you to remediate them before much more damage has been done. Log review isn’t sexy. Hell, it’s downright boring. It also isn’t easy. It takes a skilled analyst to be able to see relevant events and their correlation To the untrained, it can be like trying to hear the baseball game broadcast on an AM station while barely in range…finding the value through the static.
According to the 2012 Verizon Data Breach Investigation Report, 92% of breaches are discovered by law enforcement, customers, auditors or other third parties – NOT the breached organization. If you don’t have the headcount and expertise to skillfully detect and respond 24×7, you need to consider extending your security team through outsourcing to an MSSP…perhaps, Dunbar Digital Armor?