Security audits: what they’re like

In the previous post we saw that data breaches in higher education can affect a large number of people, and that state legislatures and university administrations really want this problem to go away. (Spoiler: it’s not going away.)

One result of this is more and more information security audits at universities. Auditors start by reading the university’s policies pertaining to information resources, and then they look to see if the university is following its own policies. The auditors interview people all over the university about the details of their processes, and they portscan networks looking for out-of-date software and poorly-configured servers. They inevitably find fault with the policies and/or some discrepancy between what’s written in policy and what’s actually happening. The auditors write up their findings in a report, and they submit the report to high-level administrators. The administrators read the report and send it (along with some harshly-worded threats) down to the next level of management, and this process repeats until the report finally reaches someone who can actually do something about it (the hapless front-line pukes who administer networks and servers).

Reactions frequently include one or more of the following:

  • Why did the auditors have to tell all of my bosses about this? Why couldn’t they just tell me so that I could fix it (quietly)?
  • This is a purely theoretical vulnerability that couldn’t possibly affect us, and I don’t want to fix it.
  • This is a false positive, and I don’t want to fix it.
  • I could fix this, but I’m afraid that it would break something else, so I don’t want to fix it
  • Correcting this is too difficult, and I don’t want to fix it.
  • Well we’ve had this condition for a long time, and nothing bad has happened, so I don’t want to fix it.
  • I’m a new employee, and I’ve inherited all this stuff that someone else left in this sad state, and I don’t want to fix it.
  • The auditors are jerks, and they couldn’t find anything really wrong, so they’re picking on this unimportant little thing, and I don’t want to fix it.

Administrators and auditors have little sympathy for these reactions (however legitimate they may be), and these audits are becoming increasingly adversarial. People at all levels of the organization lose their jobs over these things.

So if you’re writing about a character who works in IT, and you want to increase the tension this character is experiencing, put her through an audit.

Software updates for Microsoft, Adobe, WordPress

It was the second Tuesday of the month this week, so Microsoft has released updates to its products. Microsoft characterizes some of these updates as critical. Here’s the April 2016 Microsoft security bulletin.

Adobe has updated its April 2016 security bulletin from last week’s out-of-band announcement. The updated bulletin adds some new items that need updates.

WordPress has released version 4.5. That looks like more of a feature update than a security update. Still, if you host your own wordpress blog, you should probably update. (If, like me, your wordpress blog is hosted on the wordpress.com servers, you don’t need to do anything.)

And if you happen to run SAMBA on Linux (or similar), you need to run your updates, too. There’s a new man-in-the-middle exploit called Badlock which is getting some attention.

Security audits: why they happen

This post is to give an idea of one of the less glamorous parts of working in information technology. Everybody answers to somebody, and sometimes that somebody wants to inspect your work.

Disclaimer: I’m speaking from my own experience, which is in higher education at a public university, and that university is a member of a larger university system. My own chain of commands looks something like this:

  1. manager of my section in IT
  2. chief information officer of the university
  3. president of the university
  4. chancellor of the university system
  5. board of regents of the university system (who are appointed by the governor)

And somewhere between #4 and #5 there’s an office of internal audit.

Although my university usually does pretty well, higher education in general has at times had a poor record of information security. The office of inadequate security has plenty of announcements involving higher education institutions.

When an organization experiences a data breach, they frequently don’t discover it themselves. Notification sometimes comes in the form of a phone call from the Federal Bureau of Investigation. The university administrators have to notify the entire university community, and the university typically has to pay for credit monitoring for everyone affected. That can add up quickly, because a higher education data breach can potentially affect a lot of people: students and their families, alumni, staff and faculty (past and present), job applicants, even donors. Larger universities mean larger numbers of people.

Imagine that you’re on the board of regents, and you’re addressing a bunch of donors. Some freaked-out-looking assistant hands you the phone, and it’s the feds telling you that they’ve discovered people selling the names, dates of birth, and social security numbers of thousands of students currently attending the university for which you are at this very moment trying to convince these donors (who are staring at you wondering why you’re talking on the phone and not to them) to cough up money for a new sports facility. Awkward.

So when this kind of thing happens, breach victims (understandably) tend to complain to their elected leaders. State legislatures have taken notice and are increasingly putting the screws to state agencies to get their digital affairs in order.

In the next post we’ll see what security audits are like (and how they affect people who work in IT).