Lessons Learned from the Biggest Hack in SC State History
In late October 2012, South Carolina Governor Nikki Haley made a televised statement on the security breach of the state's revenue office, which exposed millions of taxpayers' Social Security numbers.
The news was taken up by newspapers and websites immediately, and the Charlotte Observer and CBS Atlanta have full coverage of the incident. Tech sites, such as artechnica.com, zoned in on the story too. This is a short story on the incident, but I prefer the reader comments on the story.
First, your website is like a front door. It should be protected. If this website failed to use some simple website validation against a SQL injection hack, it was a major oversight. If you don’t know what SQL injection is, you can watch the SQL Injection Explained video at the bottom of the article.
And to get really depressed about hacking, watch this Avi Rubin: All your devices can be hacked TED Talk. There is no excuse for allowing SQL injection on your website.
If you haven’t done the mentioned tests, then after reading this article, go and do them. Within a day any good software tester should be able to run tests on your website using some basic tools or add-ons for Firefox and other browsers, like SQL Inject Me. There are plenty of other tools and explanations out there.
The second failure is the lack of encryption in the database itself. Again there is no excuse for not encrypting sensitive data like passwords, credit cards, and Social Security numbers in your database. If someone can get into your database either through a software hack or even worse through the office door—for example, a dishonest employee—he shouldn’t be able to export the database with unencrypted information to a USB stick.
Also, watch those operational log files to see if sensitive data is getting sent unencrypted over your networks. Make sure your SSL provider is of the highest order. Remember, prevention is most definitively better than the cure. So make the security checks on your website the highest priority.
If you don’t know what a good security protocol is, then have a read of this explanation of payment card industry requirements. It’s broken down quite well. It is also the standard protocol if you store credit cards on your database.
You must have a security policy in place in your organization. If you don’t, then put someone in charge of getting it done and give him the authority to make sure it gets implemented.