Another entry in the “Preventable Breach” and “We could have prevented this” columns. This appears to be all about change and configuration management. An area that really needs some work, clearly.
Brian Krebs announced last night that there has been a huge data leak at MBIA, the nation’s largest bond insurer. On Monday, he notified MBIA Inc. that a misconfiguration in a company Web server had exposed countless customer account numbers, balances and other sensitive data. Much of the information had been indexed by search engines. That includes a page listing administrative credentials that attackers could use to access data that wasn’t accessible via a simple Web search: https://krebsonsecurity.com/2014/10/huge-data-leak-at-largest-u-s-bond-insurer/
Let’s be honest, a misconfigured webserver simply should not happen. This is what makes this a preventable breach. This is the same class of problem as connecting a test server with a default password to the internet, like happened at Healthcare.gov. IT organizations should have quality, change and configuration management controls in place that prevent this in the first place. And even if that should fail, their information security teams should be performing testing of systems and continuous monitoring, because a set of check boxes on a change management form does not mean that all is well.
This sort of thing happens much too often, but that doesn’t make it okay or acceptable. This would be akin to leaving your car unlocked and the keys in the ignition. The person who steals the car definitely is the criminal, but you didn’t do the most elementary things to keep your from being stolen. Preventable, to say the least.
What can Information Security teams do to tackle the “Preventable Breach” category more effectively. They need to improve the maturity of their own program. This has two significant outcomes.
First, by doing so successfully, they will better monitor for issues like this. Not only that, but that improved maturity means that issues like this can be framed as Key Risk Indicators for their organization. A KRI tells the organization that there is a significant potential for impact to, or disruption of, significant operational or strategic areas of the organization’s business. This is where security teams can really contribute value to their business. In this case, the security team may well have known that the IT team wasn’t always great at change and configuration management. That knowledge can be used to alert the business that key eCommerce systems may be at risk of failure or breach, impacting the ability to conduct business on the web.
Second, a security team that successfully improves its maturity will create a forcing function on other teams. If the security team begins reporting IT issues as KRI’s to the business leaders, the IT organization will have to do something about it. And they should improve their maturity as part of that solution. Security can become a leader in the organization as a whole maturing around Information Technology and Security. That’s a good thing.
My Threat and Vulnerability Management Maturity Model is something that all security programs needing improvement should consider adopting as part of their approach to eliminating “Preventable Breaches”.