Computerworld - This one is just scary to read about: Ohio University said last week that someone hacked into an alumni database server and may have stolen personal information on more than 300,000 people and organizations, including 137,800 Social Security numbers.
No, that's not the scary part. It also turns out that, according to security logs, the server was compromised by early last year at the latest and that it was being used for a denial-of-service attack against an external target. In short, it was, as kids say, "owned." But that's still not the part that's so frightening.
Here's what's scary: Everyone thought this server was off-line.
In fact, it was supposed to have been decommissioned more than a year ago. IT managers thought it had been. Thus, logically enough, it didn't get any security updates or patches. After all, you don't patch an out-of-service machine. You don't waste any budget on it at all. It's dead.
But this unpatched server was still running and still connected. It was a ghost -- officially dead, but still haunting the network. So it was hacked. And turned into a denial-of-service weapon. And the information on it was exposed to bad guys who could use it for identity theft.
There's an obvious lesson here, and it's worth saying early and often: There's no such thing as a decommissioned server. At least not until it has been unplugged, its disks have been wiped and its carcass has been carted away.
Just unplugging it from the power and the network isn't enough. It's too easy to plug it back in.
What about unplugging it, wiping the disks and putting it in storage? Still not enough. Some enterprising systems administrator in a cash-strapped department can easily dust it off, plug it in and restore it from backup tapes. Voila -- a functioning server at no incremental cost.
Except that, being off the books, it won't get the proper security treatment. No patches, no upgrades, no security log reviews.
We don't know whether that's what happened at Ohio University, or whether the server was supposed to be shut down and simply never was. But the result is the same either way: a ghost server, ripe and ready to be compromised.
What's worse, we can be pretty sure that most organizations won't take that last step and physically dispose of decommissioned IT equipment. A roomful of out-of-service servers is just too handy. They're good for parts, they're good for emergency replacement machines, they're good for skunk-works projects.
- Study: Total Economic Impact of Google Apps Employees can work faster and IT spending can decrease when companies switch to Google Apps, says a commissioned study by Forrester Consulting. Going...
- Protecting Digitalized Assets in Healthcare Healthcare providers face an urgent, internal battle every day: security and compliance versus productivity and service. For most healthcare organizations, the fight is...
- Is a SaaS Deployment Right for You? Find out the answer and as well as the other deployment options.
- Discover How Mail Express Solves 2 of Your Biggest IT Headaches Email. It can be the source of some of IT's biggest headaches. As it eats up storage and bandwidth, it also opens up...
- Increasing the Value of Your Reports and Dashboards Learn how incorporating other analytical capabilities such as predictive modeling and visualization can increase the value of your reports and dashboards by providing...
- Video surveillance for IT: maximum image quality, minimum bandwidth Join us on Thursday, May 8th at 1 p.m. EST when Willem Ryan, Senior Product Marketing Manager at Avigilon, will discuss how IT... All Management White Papers | Webcasts