CybersecuritySouth Carolina exploring different cybersecurity plans

Published 13 November 2012

Last month state officials in South Carolina discovered a massive breach at the Department of Revenue; the attack exposed 3.6 million social security numbers of residents in the state, 387,000 credit and debit card numbers, and information for 657,000 businesses as well as other personal information; now, officials are trying to figure out what security measures they need to take in order to prevent another attack

Last month state officials in South Carolina discovered a massive breach at the Department of Revenue. Now, officials are trying to figure out what security measures they need to take in order to prevent another attack.

The attack exposed 3.6 million social security numbers of residents in the state, 387,000 credit and debit card numbers, and information for 657,000 businesses as well as other personal information.

Officials are now working to implement a few short-term plans in order to protect the state’s computer systems, but nothing has been decided yet, according to Governor Nikki Haley. The initial proposal of eleven different measures has been circulated by state Inspector General Patrick Maley.

“What the inspector general is doing is going into every agency and seeing what their vulnerabilities are,” Haley told Greenvilleonline. “He is not, in any way, advised anything yet. What he is saying is, ‘These are the things we are looking for. This is what we want to see.’”

According to some national cybersecurity experts, long-term solutions to protect the state’s computer systems are critical and could cost taxpayers a significant amount of money.

Maley, a former FBI agent, spent a large portion of this year reviewing cyber security at Haley’s cabinet agencies, due to a data breach at the state’s Medicaid and Medicare agency in April. In September, Maley concluded that the Revenue Department had “sound information and security practices.”

The state Division of Information Technology (DIT) drafted the list of security measures, which include disabling direct access to the Internet for all internal computer servers and disabling all credential caching.

“After 30 years in the FBI, I don’t get over-excited unless someone is shooting at me but, in my opinion, this is a crisis situation for information technology in state government,” Maley wrote in an e-mail to agencies’ chief information officers on the day Haley publicly disclosed the hacking.

Tom Kellerman, the vice president of cyber security for Trend Micro reviewed Maley’s list of measures and gave his opinion.

“I think there are some gaps in their strategy,” Kellerman told Greenvilleonline. “First and foremost, they should conduct a penetration test. A penetration test is an ethical hack. They should conduct a penetration test not only to understand a viable attack better, but they should also do it from the perspective of the database that was compromised to see where else the adversary could have moved laterally within the system and deposited back doors.”

Back doors