While WCSU said that it “has found no evidence that records were inappropriately accessed,” the fact remains that a vulnerability existed in a storage system from April 2009 to September 2012, when it was finally discovered. That exploitable hole potentially exposed information of those whose records were collected by the university over a 13-year period that goes back to 1999. The affected group includes students, their families and those who had other associations with the university, as well as high school students whose SAT scores were purchased in lists – a common practice in higher education.
The situation points out an all too common reality: a lack of visibility when it comes to post-mortem in security incidents. “You may have noticed in security breach disclosures, like the one by Western Connecticut University, that the term ‘might have been compromised’ is common,” said Brian Contos, worldwide vice president of sales engineering at Solera Networks, in an email to Infosecurity. “This is because, in many cases, the targeted organizations don't know the extent of the breach because they are depending on preventative controls to tell them what's happening in a post-prevention world.”
Post-breach security is a combination of talent, techniques and technology, where the technology serves to augment human intuition during the analysis phase, he noted. “Yes, people are required – there is no black box that will keep you safe because we can't code our way out of being breached any more than we can prevent the fact that banks will be robbed as long as there is money sitting somewhere behind the doors,” he said. However, an effective security strategy will be a combination of incident prevention, detection, response and audit.
A strong post-breach security system, such as security intelligence and analytics, can watch every packet for forensic analysis. “Yes, a server got attacked. Yes, it contained 235,000 records,” said Contos. “But now, instead of guessing on the number of records stolen, you know that only one database table was accessed, and perhaps it only contained records for 500 people. This greatly limits your disclosure costs.”
As it is, the school is doing its best to mitigate the problem, and noted that it is beefing up security. WCSU also is offering up to two years of ID theft protection at no cost through a company named AllClear ID. Everyone in the affected groups will receive a letter explaining the protection being offered and the steps they may take to access AllClear ID services, the university said.
“We are disappointed that these records were potentially exposed but we will do everything we can to protect our students, their families and others with whom we have worked,” said WCSU President James Schmotter, in a statement. “The steps we are taking and the solutions we are offering to every one of those affected are designed to address any problems this situation may have caused.”