Dark Reading posted an overview of six database breaches that occurred during the first half of 2010. All of them resulted from lack of controls covered in the SANS Twenty Critical Security Controls for Effective Cyber Defense, the backbone of Cymbel’s Approach to information security and compliance. Here is a brief explanation of each breach and the SANS Critical Controls that would have prevented or at least detected the breach more quickly:
- Arkansas National Guard – 32,000 current and former Guardsmen personal information removed on an external disk drive and subsequently lost.
- Critical Control #15 – Data Loss Prevention, Subcontrol #6 – encrypt hard drives
- CC#15 – Data Loss Prevention, Cymbel Extension – Database Activity Monitoring and Control – copying large numbers of database records should generate an alert indicating the who, what, and when of the query.
- University of Louisville – database of dialysis patients exposed due to lack of password protection of the web application.
- CC#7 – Application Software Security, Subcontrol #3 – Test web applications for common security weaknesses.
- CC#7 – Application Software Security, Subcontrol #6 – Software development personnel receive training on Secure Development Life Cycle.
- WellPoint – 470,000 customer records exposed to unauthorized users due to insecure web application code.
- CC#7 – Application Software Security, Subcontrol #1 – Deploy a Web Application Firewall
- CC#7 – Application Software Security, Subcontrol #2 – Automated code analysis
- CC#7 – Application Software Security, Subcontrol #3 – Automated remote web vulnerability scanner
- CC#15 – Data Loss Prevention, Cymbel Extension – Database Activity Monitoring and Control – anomalous user queries of the database
- Virginia Beach Department of Social Services – eight employees and supervisors fired or disciplined for abusing their database access privileges by accessing restricted information about employees, family members, and clients.
- CC#15 – Data Loss Prevention, Cymbel Extension – Database Activity Monitoring and Control – establish more granular access policies
- CC#15 – Data Loss Prevention, Cymbel Extension – Database Activity Monitoring and Control – anomalous user queries of the database
- Florida International University – 20,000 students and faculty sensitive records exposed on an unauthorized database in an insecure computing environment.
- CC#1 – Inventory of Authorized and Unauthorized Devices, Subcontrol #1 – Automated asset inventory discovery system
- CC#2 – Inventory of Authorized and Unauthorized Software, Subcontrol #2 – Automated software discovery system
- CC#15 – Data Loss Prevention, Cymbel Extension – Network-based User Activity Monitoring – Anomalous database queries
- Lincoln National Corp.– 1.2 million customers’ portfolios exposed due to lax password management and frequent credentials sharing. Some passwords had not changed in seven years!
- CC#8 – Controlled Use of Administrative Privileges, Subcontrol #3 – Change passwords at regular 30, 60, 90 day intervals.
- CC#8 – Controlled Use of Administrative Privileges, Subcontrol #6 – Administrative accounts should only be used for administrative functions.
- CC#8 – Controlled Use of Administrative Privileges, Subcontrol #8 – No password reuse within six months.
- CC#8 – Controlled Use of Administrative Privileges, Subcontrol #11 – Two-factor authentication