Frontpage Lessons - UC Berkeley's Health Data Breach
UC Berkeley's recent announcement of a large scale health data breach serves as a great reminder of two basic basic security best practices - service separation and monitoring.
In this case, at least part of the flaw was a multi-use front facing system providing both web and database services with sensitive health data. Berkeley's announcement notes that "The attackers accessed a public Web site and subsequently bypassed additional secured databases stored on the same server." A multi-tier architecture with appropriate security precautions between each tier would likely have provided better security, and likely at a far lower cost than that of notifying 160,000 individuals of their potential exposure. The first lesson is that a strong architecture design for public facing systems can save a huge expense in both dollars and man hours later.
In addition to the multiple services on the single server, the length of time that the system was compromised indicates that it is likely that a range of other diagnostic and detection systems that could have been monitoring the server were not in use. According to the announcement, the server breach began on Oct. 9, 2008, and continued until April 9, 2009, and was only detected by routine server maintenance.
The second lesson here is that system monitoring is crucal - Tripwire, border flows to detect remote SSH sessions, and log auditing would have likely helped to find this compromise earlier.
Despite the flaws that led to the compromise, Berkeley appears to have done a good job after the fact of providing resources to affected individuals at datatheft.berkeley.edu and their process lists both activation of a CIRT and contact with the FBI. As any IT organization knows, some flaws will slip through, either old or new - Berkeley's response shows that they have a coherent plan, and this lesson should only serve to improve their overall security posture.