Drug Testing Lab Portal Incident Exposed Data for 4 Years
How Can Other Entities Avoid Similar Misconfiguration Mishaps?
… “Because portals, by definition, are externally facing, they are accessible via the internet, which automatically means they are more likely to be targets for attackers,” says Tom Walsh, founder of privacy and security consultancy tw-Security.
… Portals “tend to be about one person obtaining data about themselves and no one else,” Walsh says. Therefore, some consider the risk of unauthorized exposure to be low – just a single person’s data being exposed,” he says.
However, portals pull data from other internal sources and then displays the results in a webpage, functioning like a conduit, he notes.
“Most of the time, the portal doesn’t actually store any confidential information such as protected health information and/or personally identifiable information. But that is not always the case,” he says.
“Some portals temporarily store the information – directly or indirectly through transactional logs. The security of this data can often be overlooked because it is not easy to find the logs and the user would have to have elevated privileges to get to the logs.”
Avoiding Misconfiguration Mishaps
Walsh suggests organizations take a variety of measures to avoid web portal and related IT misconfiguration mishaps that can potentially lead to data breaches.
- Performing a web application review/assessment to better understand which configuration parameters would significantly affect the confidentiality of data;
- Having a third-party periodically conduct a code review to confirm that the portal is running securely;
- Routinely running vulnerability assessments, scans and penetration testing;
- Strictly following a change management process that includes a security review of the planned changes;
- Implementing security log monitoring to uncover suspicious activity and give greater opportunity to discover any potential breach of data.
To reduce the risks of security incidents involving web portals, Walsh also recommends:
- Implementing multifactor authentication if it is a viable option for portal users or, if not, implementing strong password rules;
- Setting automatic timeouts that end a portal user’s session after a period of inactivity;
- Preventing the success of password-cracking programs by automatically locking portal users’ accounts after a predetermined number of consecutive, unsuccessful logon attempts;
- Encrypting data stored in a portal, even temporarily and in logs;
- Exposing only the minimum necessary information needed in portal encounters;
- Ensuring that audit trail and transaction logs include sufficient information to establish what events occurred, such as type of event, when the event occurred and the IP address of the user;
- Protecting transaction logs with an additional layer of security, such as a different set of credentials to access the logs;
- Preserving the integrity of logs so they cannot be deleted or altered;
- Implementing an intrusion detection system to help facilitate detection, investigation and response to incidents;
- Erasing cookies when the web browser used to access the portal is closed.