South Carolina Shows How Not To Do Security

CowboyRobot writes "Earlier this year, the state's Department of Revenue was storing 3.3 million bank account numbers, as well as 3.8 million tax returns containing Social Security numbers for 1.9 million children and other dependents, in an unencrypted format. After a state employee clicked on a malicious email link, an attacker was able to obtain copies of those records. It's easy to blame the breach on 'Russian hackers' but who is really to blame? 'The state's leadership, from the governor on down, failed to take information security seriously or to correctly gauge the financial risk involved. As a result, taxpayers will pay extra to clean up the mess. Beyond the $800,000 that the state will spend — and should have already spent — to improve its information security systems, $500,000 will go to the data breach investigation, $740,000 to notify consumers and businesses, $250,000 for legal and PR help, and $12 million for identity theft monitoring services.'"

Identity Theft Monitoring Services

So $2 million to actually respond to and work on fixing the problem, and $12 million to snake oil. Brilliant.

Re:Identity Theft Monitoring Services

[guruevi]

He was talking about the ID protection "services". All they do is "monitor" your credit report and then whenever there is something suspicious they try to upsell you their next tier.

amateurs

[ruir]

The point is exactly this, many organizations just keep their data in any convenient format, even it is excel spreadsheets. This are one of the things it is hard to understand, if you want work well done, you call a plumber, and electrician, and they have to be certified, and many years of experience, references, whatever more. And then when it comes to sensitive data that can mean to put people in peril of theft identity, people do it by themselves, or just hire a nobody to do it. ...

A General Rule

[mbone]

I generally find it safe to assume that State of South Carolina does not show the way on how to do anything.

$800,000

[Patch86]

By a curious coincidence, $800,000 is exactly the same "cost of damages" that was levelled at Gary McKinnon for his amateurish computer escapades. ($800,000 being the "fix it" figure, not counting $13.5 million in other costs mentioned). So for Gary McKinnon, $800,000 in damages equals extradition and 60 years in prison. Will whoever was responsible for failing to implement a proper IS policy be expecting a similar visit from the Feds?

Of course not. Punishment is reserved for shifting blame onto others, not for disciplining people who do things wrong.

Re:$800,000

[wonkey_monkey]

Will whoever was responsible for failing to implement a proper IS policy be expecting a similar visit from the Feds?

No, because gaining unauthorised access to a system and failing to do your job properly are two entirely different things.

The whole system is to blame.

[Waffle+Iron]

Who's to blame? In good part it's every single company and organization in this country that tries to use people's SSNs as some kind of secret PIN or ID. It's not.

It's a non-changing lifetime number that you have to hand over to just about every doctor's office receptionist, insurance agent, and offshored credit card phone lackey that you deal with. *Nothing* of value should depend on SSNs being kept private in any way, shape or form. You reveal this number to thousands of people over your lifetime, few of which you have any reason to trust.

Lately, companies seem to try to address this issue by truncating the SSN to its last 4 digits, then treating that portion as both the secret PIN and the part that can be publicly shown. Sheer idiocy.

well IT needs a union / engineer like signoffs so

[Joe_Dragon]

well IT needs a union / engineer like signoffs so the IT works can't be pushed around by NON tech PHB's that may buy stuff on the golf course with no IT input or rank IT people my number of tickets and or call times. Even to the point saying we can't buy new software / hardware so find a work around to make X app work in the new OS / workflow even if it does have good security.

Re:What primary key for person?

[sribe]

What public identifier of a unique person should insurers and lenders use to make sure that one person doesn't try to fraudulently establish two distinct customer histories by pretending to be two people?

At least in the U.S., there is none. But pretending that the SSN is one does not make it so.

Re:don't secure it, take it away

[Bearhouse]

This is modded insightful? There are plenty of reasons why a Gov.employee should be able to access the internet from their work device(s). Would be better to say that 1. Such access should be better protected and, 2. internal systems should be isolated from anything that (inevitably) slipped through

This happens because of 'acceptable risk'

[onyxruby]

I have seen this kind of thing justified by upper management more times than I can count. The problem is that upper management literally does a Fight Club style calculation that says the costs of data breaches will be less than the costs of security. They /expect/ to have computers routinely hacked and owned by people with malicious intent.

Until the values assigned to the cost of data breaches go up or unless you have some kind of law (HIPAA, SOX etc) this kind of thing will only continue. Public notification laws are one the best things that can be done to prevent this. It's not that the IT pros don't know better, are unwilling to follow best practices or don't care. The problem is that the IT pros that secure these environments aren't allowed to do their job.

When upper management thinks that computer management and security have no value and that security breaches cost less than security this kind of thing is inevitable.

Re:Publish Social Security Numbers

[CodeBuster]

it would be incumbent on the financial institutions to NOT use it as their primary means of ID for purposes of granting credit.

The laws must be changed to say that a Social Security number, by itself, proves nothing. It should not prove that a debt exists or that any other legally binding agreement was entered into by anyone. As long as businesses can get away with using the SSN as both an identifier and an authentication, which is how this whole "identity theft" nonsense got started in the first place, they will continue to do so. Therefore, the only viable solution is to render the Social Security Number legally worthless as proof of anything. They ought to be just numbers, nothing more.

Re:What primary key for person?

[ShanghaiBill]

What public identifier of a unique person should insurers and lenders use to make sure that one person doesn't try to fraudulently establish two distinct customer histories by pretending to be two people?

Easy answer: SSNs. There is nothing wrong with using SSNs for identification . The problem is that we pretend like they are some sort of secret, and use them as authentication . That is stupid and it should be illegal for an financial institution to use them that way. People should be free to hand out their SSN, or even paint it on their mailbox, without fear of any consequences. We should just assume they are public knowledge.

Re:well IT needs a union / engineer like signoffs

[Ambassador+Kosh]

I am not sure about the union part but it absolutely should have engineer type signoffs. Just like other things require a certified engineer to sign off on something (with legal consequences) but also prevents businesses from just going ahead and doing stuff anyways.

However to go along with this would be the required education and certification to actually do the work to make sure the signoff is correct. I doubt that many people actually understand the work you have to do to become a certified engineer.

At the very least you should have to pass a test like the FE exam and later the PE exam if you want that signoff capability for IT. You should have to take appropriate courses also. You would also have to get the laws changed so that operations required that signoff.

Re:well IT needs a union / engineer like signoffs

[Jawnn]

I'd love to spend my mod points on you, brother, but your sage words deserve more....

I am not sure about the union part but it absolutely should have engineer type signoffs.

Most engineers in charge of building things that can hurt people of those things fail are required to prove their expertise and conform to both a professional code of conduct and civil codes that define a framework within which the engineer's must be done. Information technology has no such thing, and as others have already observed, this allows bean-counters, PHB's, and frankly, IT "engineers" who lack the requisite expertise, to put systems in place that have nowhere near the proper level of security measures around those systems. We've seen a few attempts from various sectors (HIPAA, PCI, SOX) to force some standards and accountability on entities in those sectors, but it's a patchwork of bureaucratic noise that, most often, doesn't result in the desired level of security. The one partial exception is PCI. If you are a vendor large enough to fall into the "Level 1" category, your stuff must be reviewed regularly by a third party. That rule is enforced by the banks, whose money is at risk. They really don't give a rat's ass about card-holders.
And that is the problem. The SC Dept. of Revenue didn't have enough skin in the game to give a shit about, so they didn't. That needs to change. If you're going to build things that can hurt people when they fail, be those things skyscrapers, bridges, airplanes, or information security systems, you should have to prove that you know what you are doing and have your work reviewed by someone else who knows what they're doing.