[SecurityRatty] tag: sungard

Traditional Disaster Recovery Services Are Dead

Wed, 06 Aug 2008 13:06:37 +0000

If you still subscribe to fixed site recovery services using shared IT infrastructure from the likes of HP, IBM BCRS, or SunGard, among others, you will quickly become a dinosaur in the next 1 to 2 years.

These types of shared infrastructure services involve lengthy restores from tape and a recovery time objective of 72 hours, at best. Plus, you'll be lucky if you recover at all because chances are, you've had trouble scheduling a test with your service provider and it's been a LONG time since the last one, if indeed you’ve ever tested.

72 hours recovery just doesn't cut it anymore. And frankly, understanding your provider's oversubscription ratio to shared infrastructure to determine the risk of multiple invocations, or attempting to negotiate exclusions zones and availability guarantees is a time suck. Most companies are either taking DR back in-house or, if they still rely on a DR service provider, they are using dedicated infrastructure.

A dedicated infrastructure is attractive as it enables replication to improve recovery objectives. But it’s expensive, and puts advanced IT recovery out of the reach of many companies who can't measure downtime in millions of dollars.

But, there are new services on the horizon that will make advanced IT recovery affordable for the masses. This month SunGard announced the availability of its new Virtual Server Replication Service. As I discussed in my most recent Forrester Wave™ of DR Service Providers and other reports, server virtualization is transforming IT recovery. With replication to a virtualized server infrastructure and shared storage infrastructure, customers can enjoy improved recovery-time and recovery-point objectives without the cost of dedicated and custom IT recovery solutions from the DR services provider.SunGard is the first DR service provider to productize these virtual services. I expect other DR service providers to follow suit.

So, the next time your contract is up for renewal, you need to completely rethink your approach to IT recovery. Get off tape and move to these new virtual services. It will improve your recovery capabilities and you don't have to worry about the oversubscription issue with shared virtual infrastructure -- the DR provider can manage capacity much more easily in this environment. In fact, SunGard is offering an RTO SLA of 6 hours as part of the offering. To my knowledge, this is the first time a DR service provider is offering this as part of a standard contract. I'm looking forward to the day when vendors will offer most services with transparent, subscription-based pricing, and standard contract terms that don't take a team of procurement professionals to negotiate.

SCSU web server becomes spam server and exposes personal information

Fri, 02 May 2008 07:12:47 +0000

Technorati Tag: Security Breach

Date Reported:
4/24/08

Organization:
Southern Connecticut State University

Contractor/Consultant/Branch:
None

Victims:
Current and former students

Number Affected:
11,000

Types of Data:
Names, addresses and Social Security numbers

Breach Description:
"Two weeks after discovering that its Web site had been used by hackers to flog fancy wedding rings, Southern Connecticut State University is notifying 11,000 current and former students that their Social Security numbers may have been compromised."

Reference URL:
SCSU Alert
PCWorld
NBC Channel 30 News
Chronicle of Higher Education

Report Credit:
Southern Connecticut State University

Response:
From the online sources cited above:

From the University's Alert Page:
During a recent security review of the Southern Connecticut State University Web server, it was discovered that certain identifying information pertaining to current students and alumni could have been vulnerable to access by unauthorized individuals.
[Evan] As you will read further in this posting, the web server appears to have been compromised. I don't think "could have been vulnerable" is an accurate assessment. The information WAS vulnerable.

The information, including names, addresses, and Social Security numbers, was contained in a protected records office file in which students would register for graduation.

Records of about 11,000 students had been stored in the file dating back to 2002.
[Evan] Personal information belonging to thousands of people on a public web server. UGH.

Upon discovering this potential vulnerability, the university immediately disabled the application and secured the file.

There has been no determination that the personal information contained in the file was accessed, nor is there any indication that this data has been or will be used for purposes of identity theft.
[Evan] Even novice web site administrators log access to web pages and files. If the attacker accessed the file through the web service/daemon, then access was probably logged. If the attacker had completely compromised the web server or taken a different avenue of attack, then there might not be easily obtained evidence of access. Either way, I assume that the file could have been accessed easily.

The university has notified all the affected individuals by letter and taken a number of proactive steps, along with a full security review of the university's Web server.
[Evan] What is proactive in a response?

The University has undertaken a review of all files containing personal information on its Web server and there is no evidence to date that any of them have been compromised.
[Evan] The University should undertake a review of all files containing personal (and other confidential) information everywhere, not just its Web server. Why would personal information storage be permitted at all on a web server?

Identity protection services will be provided at the university's expense to the affected individuals, for a period of up to two years. To obtain this optional coverage, registration for this service is necessary.
[Evan] At the "university's expense" means at the current and future student's expense. As the cost of business goes up, so does the cost of service (at some point) which means an increase in the price of tuition or increase in taxes (SCSU is a member of the Connecticut State University System). Does this sound like good management?

A help desk has been established to respond to questions. The help desk number is: (203) 392-7216 and will be staffed between the hours of 8:30 a.m. to 4:30 p.m.

A dedicated Web page, containing updated information, has been created and may be accessed at www.southernct.edu/creditmonitoring/

Now From Outside Sources:
Two weeks after discovering that its Web site had been used by hackers to flog fancy wedding rings, Southern Connecticut State University is notifying 11,000 current and former students that their Social Security numbers may have been compromised.
[Evan] Do you see how the school's alert web site differs from outside sources? See a spin (one way or the other)? Do you think that the outside sources try to sensationalize the story, or do you think that the school doesn't want the embarrassment that their web server was a spam-related site for some time? Maybe a combination of the two.

The personal data was in a file on the university's Web server, which was accessed by criminals who were using the university's site as part of a spam operation, said Patrick Dilger, the university's director of public affairs.
[Evan] Not only was personal information stored on a public web server, but it was stored on a poorly secured (and probably poorly monitored) public web server.

"The hackers were using our Web server as a host for their own Web site," he said.

Pages on the university's site contained ads for diamond rings, Viagra and Cialis.

After noticing the ads on April 9th, IT staff discovered the file containing the sensitive information. "When we were doing the security review after the hacker incident, we saw this file there and it wasn't properly secured, so it could have been targeted by someone," Dilger said.

The university believes that the hackers came from outside the U.S., and it is working with Connecticut's attorney general's office to investigate

Richard Blumenthal, Connecticut’s attorney general, sent a letter last week to Michael J. Hogan, president of the University of Connecticut, describing the breach and advising him that the many campuses he oversees should be vigilant about their storage, use, and disposal of confidential data.

Commentary:
There are so many things wrong with this, it is hard to know where to start. Will anyone be held accountable.

Past Breaches:
April, 2008 - Stolen SunGard laptop affects at least 10 post-secondary schools (PogoWasRight has been keeping a running update of the Sungard breach, check out their search.)

Stolen SunGard laptop affects at least 10 post-secondary schools

Mon, 21 Apr 2008 10:49:39 +0000

Technorati Tag: Security Breach

Date Reported:
4/17/08

Organization:
Various post-secondary schools, including but not necessarily limited to:
Central Connecticut State University
Eastern Connecticut State University
Southern Connecticut State University
Western Connecticut State University
Northwestern Michigan College
Northwest Missouri State University
Buffalo State College
State University College at Brockport
Monroe Community College

Contractor/Consultant/Branch:
SunGard Higher Education*

*From the SunGard Higher Education "About Us" page:
"SunGard Higher Education provides software, strategic consulting, and technology management services to colleges and universities. We help more than 1,600 institutions worldwide strengthen institutional performance by improving constituent services, increasing accountability, and enhancing the education experience.

SunGard Higher Education has a vision to unify people, process, and technology in an environment that addresses the needs of higher education institutions and the people they serve. We call this vision the Unified Digital Campus."
[Evan] All of "the needs" except one critical one... SECURITY!

Victims:
Students and a limited number of employees

Number Affected:
Unknown, but at least 23702

Types of Data:
Personal information including names, Social Security numbers and financial aid information

Breach Description:
"A laptop belonging to a consultant at SunGard Higher Education was stolen on March 13, 2008. The theft was immediately reported to law enforcement but the laptop has not been recovered. After analyzing a backup of the computer, SunGard Higher Education found that the stolen laptop contained data from projects with a number of customers."

Reference URL:
SunGard Higher Education (general)
The News-Times (Connecticut State University Schools)
Associated Press Connecticut (Connecticut State University System)
Associated Press Michigan (Northwestern Michigan College)
Maryville Daily Forum (Northwest Missouri State University)
The Buffalo News (Buffalo State College)
Democrat and Chronicle (State University of New York schools)
Northwestern Michigan College
Buffalo State College
State University College at Brockport

Report Credit:
SunGard Higher Education

Response:
From the online sources cited above:

A laptop belonging to a consultant at SunGard Higher Education was stolen on March 13, 2008. The theft was immediately reported to law enforcement but the laptop has not been recovered. After analyzing a backup of the computer, SunGard Higher Education found that the stolen laptop contained data from projects with a number of customers.

Security teams from affected institutions and SunGard Higher Education are working together to analyze and verify the data and notify affected individuals.

The laptop was protected with a strong password to access the operating system.
[Evan] It could be the strongest damn password in the world and still not provide an adequate level of security in my opinion. Operating system passwords (especially Windows) can be bypassed in a matter of seconds. This is a poor attempt to minimize the incident.

The computer was password-protected but contained unencrypted files with personally identifiable data
[Evan] Even though encryption is not the "end all", it would have (in conjunction with other controls) reduced the risk of exposure to a level that is acceptable to many organizations (mine included).

All affected customers have been notified. Customer names will not be disclosed for privacy and security reasons as the investigation continues.
[Evan] We already know of at least 10 post-secondary institutions.

The laptop was stolen in New York on March 13 and state officials say it contains the names and personal information of 3,502 present and former students of the four CSU universities.

could put the personal information of 1,600 Northern Michigan College students from 2003 at risk.

could potentially put personal information about Northwest Missouri State University students and alumni in the wrong hands.

Northwest believes it followed all appropriate internal procedures for protecting the privacy of its students. For its part, SunGard Higher Education has accepted responsibility for this incident and is working with the University to minimize any adverse consequences.
[Evan] This is a classic misunderstanding of the roles and responsibilities for information security governance and management. The custodians of the personal information were the schools AND SunGard, not only SunGard. It is the responsibility of the schools (as co-custodians) to require certain information protections from their vendors and contractors. This should be done through policy, contractual language and regular audit/enforcement.

Social Security numbers of about 16,000 current and former Buffalo State College students

affected thousands of students at State University College at Buffalo, State University College at Brockport and Monroe Community College.

We believe that the laptop was stolen for the hardware rather than the data. We do not know if any personally identifiable data was accessed by the thieves.
[Evan] This is another statement meant to minimize the impact of the incident. I do not doubt that often times computer equipment is stolen for the hardware value, but how do we know? I am guessing that more and more criminals are examining the contents of poorly secured computing devices and looking for additional opportunities. The "laptop was stolen for the hardware" argument doesn't work anymore.

The nature of that employee’s job included analysis of customer data as part of software implementation and upgrade projects.

The laptop was taken from an employee of SunGard, a Pennsylvania-based computer software company that provides Buffalo State’s records system, said Voldemar Innus, a college vice president and chief information officer.

Innus also said the laptop was secure.
[Evan] No offense Mr. Innus, but the laptop WAS NOT secure.

"The laptop was stolen for its own worth as hardware," Innus said. "We do not believe it was stolen because of the information that was on it. And it was heavily password protected, we’re told."

"The risk I would say is not that high, but that doesn’t matter," Innus said. "There are steps we need to take because of what happened."
[Evan] People like to throw these terms like "secure" and "risk" around without any validation. How did Mr. Innus determine the risk (of exposure and/or misuse) with respect to this incident?

The data was originally provided for SunGard to perform various services for the university system, but it was apparently retained longer than necessary to perform those services,

A dedicated Web site containing updated information may be accessed at www.sungardhe.com/laptoptheft.

A help desk has been established with a toll-free number, (866) 520-2408, to respond to questions from affected individuals.

Credit monitoring will be provided at no cost to the affected individuals, for a period of one year.
[Evan] Credit monitoring is a post-fraud activity. One year is very limited for information that has a much longer lifespan.

Buffalo State student reaction:
In a campus dormitory, Ben Bissell, a sophomore special education major, and his friend Thomas Dennis, a freshman English education major, were making housing arrangements for next year. Bissell said he got the e-mail and was aware of the situation. Dennis was not.

Bissell was surprised such sensitive information could be placed in such a portable device as a laptop, which could easily be lost or stolen.
[Evan] Mr. Bissell is a "data owner" in this instance. The school and SunGard are "data custodians". In simplistic terms, data owners dictate what level of protection is required for the data that they own and data custodians apply the designated level of protection. Did the school and SunGard apply the designated level of protection in this case?

"You’d think it would be somewhat secure," Bissell said of his personal information.

He plans to closely monitor his bank statements and account activity following the announcement.

Omar Vargas, a sophomore elementary education major, told a reporter it was the first he had heard of the stolen laptop, admitting he feels "less secure" knowing about it.

"There’s enough things to handle being on campus, like going to classes and deadlines," Vargas said. "Then, just to find out my personal information is threatened is like, man, who knows what that could jeopardize."
[Evan] Very true. If we all just did what we were supposed to do, we wouldn't have to worry so much about what others aren't doing.

"I could wind up with bad credit when I’m on a good roll."

Commentary:
I provided a lot of my commentary above. There is no excuse that I can think of for such poor information security practice and management. Can the people running these companies (such as SunGard) and those responsible for information security claim they didn't know any better? Does it not go against SunGard Higher Education (or school) policy to store confidential information on a laptop while relying solely on operating system level passwords?

Nuts.

Past Breaches:
Unknown