The governor of South Carolina, after the big breach, is claiming that "nothing could have been done to block the attacks." She then sites the "holes in the system" and the she says that the state followed "best practices."
Not so fast.
Interestingly, Deloitte just released a new survey that may help shed light on why the breach occurred. Several interesting data points all seem to congregate gem on p 23:
- The survey "shows that the majority of states continue to conduct internal and external system penetration testing on an ad-hoc basis only. In fact, the number that test on a quarterly basis has fallen slightly since 2010."
- Figure 17 shows that application security vulnerability scans take place on an ad hoc basis 62% of the time.
- A pull out explains how North Carolina (!) has implemented a rigorous application vulnerability program.
Couple the above with our SQL injection rant from yesterday and you have a strong idea of how and why this breach took place and that something could have been done to stop it.