In his post ‘Healthcare.gov breach shows poor website security testing’, published on 11 September 2014, George Leopold talks about the latest security breach of the Healthcare.gov website.
It was just an intrusion on a test server ‘that did not contain consumers’ personal information, no data was transmitted and the Healthcare.gov website was not specifically targeted.’
That sounds to me as if someone wants to downplay the problem, or to sing the bull to sleep. Keep in mind that this test server is also connected to the internal network. Since it took one month to detect the intrusion, it is very likely that the attackers tried to get access to other systems. And it is very likely, that this attacks were not detected yet, or will not be detected at all.
The proposed solution is security testing and, as always, data analytics. In my opinion, this will neither solve the problem, that the default passwords aren’t changed on the test system, nor the problem, that once the server was hijacked the attackers act as internal users or administrators.
Only the classic PPT approach, which includes measures on the people, processes and technology level, will lead to sustainable change.
For example, a plain checklist for commissioning of servers, that has to be reviewed by another person ( four eyes principle), will solve lots of those problems at nearly no additional costs. If it’s absolutely necessary to invest in new technology decide about Multiple Factor Authorization.
It’s always the same old story…