November 01, 2012

Lessons From the South Carolina Breach

The governor of South Carolina, after the big breach, is claiming that "nothing could have been done to block the attacks."  She then sites the "holes in the system" and the she says that the state followed "best practices."

Not so fast.

Interestingly, Deloitte just released a new survey that may help shed light on why the breach occurred. Several interesting data points all seem to congregate gem on p 23:

  • The survey "shows that the majority of states continue to conduct internal and external system penetration testing on an ad-hoc basis only. In fact, the number that test on a quarterly basis has fallen slightly since 2010." 
  • Figure 17 shows that application security vulnerability scans take place on an ad hoc basis 62% of the time.
  • A pull out explains how North Carolina (!) has implemented a rigorous application vulnerability program.

Couple the above with our SQL injection rant from yesterday and you have a strong idea of how and why this breach took place and that something could have been done to stop it.



Authors & Topics:

Share on LinkedIn


Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.