Security Breach Analyst

Security Breach Analyst

Closed - This job posting has been filled and work has been completed.

Job Description

Please read over the comments below and respond to each of them from an Information Security Officer's Perspective.

This should be completed in 10 hours - 12 hours from now.

**Each comment must be at least 1 paragraph having 6-8 sentences in EACH paragraph.

------------------------------------------------
Comment #1

Criminals gained access to a database containing the personal records, including Social Security numbers, grades, transcripts, and other pertinent Personal Identifiable Information (PII) of hundreds of thousands of University of some 654,000 Nebraska students, alumni and others connected to the school's four different campuses.

As a CISO role, encryption of the files is needed with a strong encryption method, such as Data Encryption Standard or Triple Data Encryption Standard (TDES) (Kellerman Software, 2008). Encryption methods reduce the likelihood of unapproved information leaks as well as the illegal information detection changes (National Institute of Standards and Technology, 2009).


References:

National Institute of Standards and Technology (2009). Recommended Security Controls

for Federal Information Systems and Organization (NIST-SP-800-53-Revision 3). Retrieved from http://csrc.nist.gov/publications/nistpubs/800-53/sp800-53-Rev3-final.pdf


-------------------------------------------------------

Comment #2

The ramifications of such a large scale data breach are huge for a university. A university is supposed to develop leaders, professionals, and those who go out into the world to do the jobs that America needs. If they cannot protect the data of the students, then it would make me question what kind of employees they have hired.

what might be the vulnerabilities that were exploited?

There is not enough data in the information to decide on the vulnerabilities, so this is just all a guess.
Here is my list of possibilities
• SQL injection.
• Physical access
• Trojan allowing for back door access , no need to do database downloads, because the Trojan could allow for a screen captures

, regulatory and compliance issues associated with the event?
• Privacy act
• Failure to secure PII – banking /
• Data record keeping / years keeping data (something seems odd about the years of how long they had the data)

CISO would be your recommended course/courses of action?

• Annual internal pen testing
• Redevelopment of database design to include separating sensitive data such as the PII. Multiple databases if needed. Masking / coding SSN numbers using encryption within the database.
• Database should restricted to Internal network, segmented from school network (labs, student network) possibly VLAN

----------------------------------------------------------

---
Skills: design, engineering, management

Open Attachment