UCLA Didnt Study for Security Test - 2

Database hack highlights the need for more vigilant caretaking of information.

As a recent graduate of the University of California, Los Angeles, I was one of the "lucky" 800,000 who received an e-mail from the university this week. Most of the correspondence I get from UCLA relates to alumni donations, but this e-mail was different: It alerted me to the fact that my identity is at risk.

UCLA announced on Dec. 12 that a hacker had gained access to a restricted campus database that contained personal information about current and former students, faculty and staff. Information such as names, Social Security numbers, home addresses and dates of birth was stored on the affected database.

"I regret having to inform you that your name is in the database," stated Norman Abrams, acting chancellor of UCLA, in the e-mail. "While we are uncertain whether your personal information was actually obtained, we know that the hacker sought and retrieved some Social Security numbers."

/zimages/3/28571.gifWant a peek inside the mind of a hacker? Then click here.

If its not obvious by now, hackers are now less interested in gaining notoriety for their hacks and more interested in making money selling personal information on the black market.

Weve been saying for years now that IT managers can no longer consider their networks truly impenetrable, no matter how many safeguards they put in place. The databases in IT managers care must therefore be under constant watch.

Put another way, if the network is no longer a walled fortress, then security managers need to employ the tactics of a beat cop. So says Alan Norquist, vice president of marketing at security company Imperva. Database usage needs to be monitored, and IT managers need to develop profiles that will look for out-of-the-ordinary database queries, he adds.

Yes, its convenient that Impervas software does just that. But Norquist has a good point—and its one that, clearly, not enough IT managers are taking to heart.

UCLAs Abrams said in the now-infamous e-mail, "We have a responsibility to safeguard personal information, an obligation that we take very seriously."

Easy to say, but that means keeping a closer eye on whats happening on the inside.

Technical Analyst Victor Loh can be reached at victor_loh@ziffdavis.com.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK Security Watch blog.