In May 2017, the virus WannaCry spread across the world quite rapidly. This ransomware utilized the EternalBlue exploit to compromise Microsoft Windows computers. What made this particular attack noteworthy was that it exploited a vulnerability in Windows for which a patch had been available for almost two months. Any organization that was affected by WannaCry clearly did not have a good patch management process.

This case illustrates the need for appropriate patch management. Patches are not usually applied instantly. The patches need to be tested to ensure they won’t disrupt existing applications. However, there really is no valid reason for a patch to not be applied two months after its release. Although WannaCry is a well-known example, there are many malware outbreaks and breaches that could have been prevented or mitigated with effective patch management.

The University of Texas posted a data classification standard on its website. The standard classified data as Category I, II, and III. Category I was defined as data that is protected by law or university regulations. Some of the examples cited were HIPAA, the Sarbanes-Oxley (SOX) Act, and the Gramm-Leach-Bliley Act (GLBA). Category II was defined as other data needing to be protected. Examples cited were email, date of birth, and salary. Category III was defined as data having no requirements for confidentiality, integrity, and availability. These three requirements defined the categories to which the university’s data was assigned. The university cited security policies as the authority for the standard.

This is an example of a customized data classification scheme. The university tailored the scheme based on a review of critical data. The university determined that three classification levels were sufficient to meet regulatory requirements. In this case, the university called the data classification a standard. It could as easily have been labeled a policy. In either case, it clearly defined classification levels. It defined roles and responsibilities. It also defined scenarios, such as handling data on a professor’s blog. It was a good example of how data assessment and regulatory compliance can come together to create a data classification standard.

In July 2019 it was discovered that an outside individual gained access to Capital One credit card customer data. Reports are that 30 gigabytes of data were downloaded, affecting more than 100 million people. The data included more than 140,000 Social Security numbers of U.S. citizens and 1 million social insurance numbers of Canadian citizens. On July 29, 2019, the FBI arrested Paige Thompson in connection with the breach.

Thompson was a software engineer who formerly worked for Amazon Web Services, which hosted the Capitol One database. She publicly exposed the data she collected and admitted to the incident via Twitter and Slack. The FBI agent who investigated the breach said in court papers that Thompson had gained access to the sensitive data through a “­misconfiguration” of a firewall on a web application.

This incident highlights several failures of policy:

• Monitoring internal access to identify when someone is accessing data outside the scope of their job duties
• Ensuring proper configuration of all servers
• Encrypting data at rest

All of these issues were not addressed at Capital One and/or Amazon, thus making this breach possible.