A lesson on the need for incident playbooks learned the hard way

When consumers type their names into a search engine they want to know how much personal information is available about them is on the public Internet.

What they shouldn’t find is private information a trusted organization is supposed to protect.

So a U.S. woman was stunned recently when she Googled her name and up popped an image of her driver’s licence. She’d submitted the scanned image of her licence for an Atlanta-area school board after applying to be a substitute teacher.

Following a link on the photo, it went to an open file that had many other personal identity documents that had been filed by applicants. Those documents — including images of passports — could easily have been used to create phony identities.

The school board stored those images in a folder on a secure server. However, on Dec. 22 until the district’s cloud-based web server crashed due to a vendor-related event. It was restored on Dec. 24, but according to a Jan.4 news report the crash had corrupted security software, leaving the data unprotected.

It wasn’t fixed until a TV reporter who the woman called notified the school board.

It’s an example of how IT teams not only have to think things through but also not rush, says a veteran penetration tester who looks for holes in enterprises. Misconfiguring systems “is one of the main reasons why I break into companies,” said Terry Cutler, vice-president of cyber security at Montreal-based Sirco Group.

“I think these guys [at the school district] panicked and did whatever they could to rebuild the server and put it back online as soon as possible. So they misconfigured the system.”

“Those guys obviously didn’t do their audit. Had they run a vulnerability scan they would have found it. A scan would have picked it up as critical. Even if they had done an advanced Google search and typed in “site:” and the name of the [district] web site it would show every web site linked, and it would have shown up.”

The lesson is IT must have processes for staff to follow when restoring any server knocked online to ensure pre-incident security is restored.

The U.S. National Institute for Standards and Technology (NIST) Cybersecurity Framework outlines five functions CISOs should follow to create a mature cyber security program. One of them is Respond, which urges IT leaders to create processes to oversee response and restoration of service.

Sometimes these processes are called playbooks, detailed instructions on how to respond to a variety of expected issues. Playbooks first identify an organization’s assets, weaknesses, expected threats and how to respond to a range of problems. Experts also say playbooks must be tested to make sure they are relevant, and that they work.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now