In most cases, better security posture is all about getting a few basics right. And this recent incident related to the breach of a Healthcare.gov server may be further proof of that.
Based on this article from csoonline, it appears the problem may have been that the “development server was poorly configured and used default credentials”.
At the same time, the article says that “the website undergoes quarterly security audits, as well as daily security scans and hacking exercises”. I am guessing then that the development server wasn’t included in the “hacking exercises” which I am assuming are penetration tests performed the way they should be.
Many times, you might be ok not to have your development environment undergo a full pen test especially when you are sure that you have the security basics right, like not using the default credentials and configuration in this case. However, when you are as “prominent” as Healthcare.gov is for a number of reasons we all know, the elevated risk profile should require that we perform the necessary due diligence at least once upon installation or major change.
Again, we don’t know all the details but based on what is being reported, this incident adds to the proof that better security is mostly about basics. However, as we know from experience, basics don’t always mean easy because there is this thing called execution which many organizations are not effective at. As they say, talk is cheap.
Just to be sure, we are not necessarily referring to the need for money or funding (though that may be a problem for some organizations). Healthcare.gov is again a good example in this context because I doubt they have any problem with funding for security. Considering the hiccups they had during the initial months of their launch, I suspect they don’t want to be in the news for anything except to announce good enrollment numbers, let alone a security breach.
Executing the basics in security takes a high standard of professional due diligence by the individuals or teams involved in planning and running the security program. Implementing sophisticated technologies or hiring expensive consultants is not going to be very useful if the foundational aspects are not effective.
Image courtesy : lovethispic.com
- I used healthcare.gov as an example since the incident was in the news this week. I think they are also a good example to illustrate the fact that the best of funding, technologies or consulting resources can still not assure that you will not have a security breach.
- Regardless of the breach (which appears not to have been damaging since no personal information was taken), one must note the fact that they probably did a good job in noticing anomalies on a development server. Considering that many organizations can’t detect breaches in time or at all even in their production environments (see our posts here and here), one might think that the healthcare.gov team has probably done a better job. We’ll probably learn more details in the coming days but it appears the circumstances and the consequences weren’t too bad.