Computerworld - This one is just scary to read about: Ohio University said last week that someone hacked into an alumni database server and may have stolen personal information on more than 300,000 people and organizations, including 137,800 Social Security numbers.
No, that's not the scary part. It also turns out that, according to security logs, the server was compromised by early last year at the latest and that it was being used for a denial-of-service attack against an external target. In short, it was, as kids say, "owned." But that's still not the part that's so frightening.
Here's what's scary: Everyone thought this server was off-line.
In fact, it was supposed to have been decommissioned more than a year ago. IT managers thought it had been. Thus, logically enough, it didn't get any security updates or patches. After all, you don't patch an out-of-service machine. You don't waste any budget on it at all. It's dead.
But this unpatched server was still running and still connected. It was a ghost -- officially dead, but still haunting the network. So it was hacked. And turned into a denial-of-service weapon. And the information on it was exposed to bad guys who could use it for identity theft.
There's an obvious lesson here, and it's worth saying early and often: There's no such thing as a decommissioned server. At least not until it has been unplugged, its disks have been wiped and its carcass has been carted away.
Just unplugging it from the power and the network isn't enough. It's too easy to plug it back in.
What about unplugging it, wiping the disks and putting it in storage? Still not enough. Some enterprising systems administrator in a cash-strapped department can easily dust it off, plug it in and restore it from backup tapes. Voila -- a functioning server at no incremental cost.
Except that, being off the books, it won't get the proper security treatment. No patches, no upgrades, no security log reviews.
We don't know whether that's what happened at Ohio University, or whether the server was supposed to be shut down and simply never was. But the result is the same either way: a ghost server, ripe and ready to be compromised.
What's worse, we can be pretty sure that most organizations won't take that last step and physically dispose of decommissioned IT equipment. A roomful of out-of-service servers is just too handy. They're good for parts, they're good for emergency replacement machines, they're good for skunk-works projects.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Future Focus: What's Coming in Enterprise Mobility Management (EMM) Find out why Enterprise Mobility Management (EMM) solutions that are truly future-ready must be designed to enable Machine-to-Machine (M2M) capabilities and much more.
- The CIO's Guide to Enterprise Mobility Management (EMM) This guide will help those making an EMM platform decision make the best choice for their organization.
- Yankee Group: BlackBerry Results Refute Rumors of its Demise Yankee Group: BlackBerry® is stronger than the press makes it out to be.
- Your New EMM Platform: How to Streamline the Migration Smartphone migration can be resource-intensive and challenging. Find out how outsourcing the process can save significant time and money.
- Live Webcast Increasing the Value of Your Reports and Dashboards Learn how incorporating other analytical capabilities such as predictive modeling and visualization can increase the value of your reports and dashboards by providing...
- Testimonial: Cystic Fibrosis Trust Peter Hawkins, the Head of IT for Cystic Fibrosis Trust, discusses the role CommVault's Simpana software platform plays in improving the company's information...
- Increasing the Value of Your Reports and Dashboards Learn how incorporating other analytical capabilities such as predictive modeling and visualization can increase the value of your reports and dashboards by providing... All Management White Papers | Webcasts