By Splunk March 13, 2008
Harvard just learned security investigation 101 the hard way.
Harvard admitted yesterday that a web server was hacked a month ago that contained financial application data for over 10,000 applicants. They knew about the incident on February 15 and took down the server till February 21 in order to investigate and implement stronger security controls. Their announcement reveals how slow and ineffective security investigations often are.
“The University’s initial examination did not reveal the full extent of the hack. As the investigation continued, it became apparent that some sensitive applicant data, including Social Security numbers, could potentially have been accessed.”
Unfortunately, a day later, it was pretty obvious that over 6,000 applicants’ data had been compromised – CNet reports that all their personal data was on Bittorrent.
“Harvard officials said the data includes the applicant’s name, Social Security number, date of birth, address, e-mail address, phone numbers, test scores, previous school attended, and school records.”
Ouch.
It shouldn’t have taken Harvard nearly a month to come up with an answer as weak as “could potentially have been accessed.”
Why couldn’t they figure out for sure whether the data was accessed? Either they weren’t logging file accesses, didn’t have the logs, or the logs were too hard to analyze. Most likely a combination of all three.
Maybe they could learn from Splunk customer Weill Cornell Medical College – here’s a video of Mark Bronniman, the senior Unix administrator there, and Alan Hecker, their senior security engineer talking about using Splunk to accelerate security investigations. In fact, they implemented Splunk first to speed up an investigation that was in progress.