Unauthorized access to the Stryker Corporation VPN
Technorati Tag: Security Breach
Date Reported:
4/10/08
Organization:
Stryker Corporation
Contractor/Consultant/Branch:
Stryker Instruments
Victims:
Current, former and contracted temporary employees
Number Affected:
Unknown*
*According to , Stryker employed 16,026 people at the end of December, 2007.
Types of Data:
Name and Social Security number
Breach Description:
"On February 18, 2008, Stryker Instruments, a division of Stryker Corporation (collectively, "Stryker"), discovered that an unauthorized user recently gained access to its virtual private network (VPN) multiple times over a period of several months." "One of the servers accessed by the unauthorized user contained a database of Social Security numbers of certain employees in 48 different states and Puerto Rico."
Reference URL:
The New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
On February 18, 2008, Stryker Instruments, a division of Stryker Corporation (collectively, "Stryker"), discovered that an unauthorized user recently gained access to its virtual private network (VPN) multiple times over a period of several months.
[Evan] Sheesh. I can only imagine what damage could have been done with (essentially) local network access.
Stryker immediately disabled the domain administrator service account through which the unauthorized user had accessed the VPN.
[Evan] This and subsequent statements support the implication that a domain (Windows) administrator level account was used by the "unauthorized user". This could be very bad.
It then promptly began investigating the incident and engaged an independent computer forensics investigator to determine the scope of the breach and the identity of the unauthorized user.
[Evan] The identity of the unauthorized user is "administrator" (or something similar), right? In a way yes, but this isn't what they mean.
The investigation revealed that the unauthorized user accessed several Stryker servers and applications.
One of the servers accessed by the unauthorized user contained a database of Social Security numbers of certain employees in 48 different states and Puerto Rico.
Stryker and its computer forensics investigator were unable to conclude whether the database was actually accessed of whether any Social Security numbers were acquired.
Based on the manner in which the user acquired access to Stryker's network and the user's network activity, Stryker believes the unauthorized user is a former employee with prior knowledge of the network.
[Evan] Could this have been a former IT employee that had prior knowledge of administrator account and services passwords? If so, then Stryker may have a serious deficiency in their onboarding/offboarding procedures. Privileged account passwords must be changed when there is a reasonable possibility that someone with knowledge of the privileged account passwords leaves the organization.
Stryker suspects a particular employee, but has been unable to confirm whether that individual is, in fact, the unauthorized user.
On March 4, 2008, Stryker contacted the office of its local U.S. Attorney and the Federal Bureau of Investigation in Kalamazoo, Michigan to inquire whether the FBI would investigate the matter further.
Since the, Stryker has been engaged in informal discussions with the FBI about a potential criminal investigation. Initially, the FBI asked Stryker not to give notice of the security incident, so as not to interfere with its investigation.
But on March 20, 2008, the FBI informed Stryker that based on current information, it would not pursue a criminal investigation.
Stryker will provide a notice of the security incident to each potentially affected employee.
Stryker intends to mail the notice to affected employees on April 10, 2008.
In order to prevent future security breaches of this nature, Stryker took certain action immediately after discovering this breach.
Stryker has discontinued access to the VPN through the domain administrator service accounts.
[Evan] All users must login remotely using their own individual user accounts. A wise decision.
It also performed an audit of its privileged access accounts and eliminate any unnecessary service accounts.
[Evan] User and service account audits should be conducted on a quarterly basis or at least semi-annually. Usually, we recommend more frequent audits in organizations where there is more employee turnover.
Further, it changed the passwords of all service accounts.
[Evan] Changing service passwords is often times a @$%^#! A necessary evil.
Stryker has also implemented a policy to prohibit user password changes via telephone.
[Evan] I wonder why. Password changes via telephone are not really that risky for many organizations, as long as there are proper procedures in place including caller verification.
Stryker also plans to implement a number of additional preventative measures in the coming months. These measures include:
If you have any questions or believe you may have an identity theft issue, please call ID TheftSmart member services at 1- between 9:00 a.m. and 6:00 p.m. (Eastern Time), Monday through Friday.
In closing, we apologize for this incident and any inconvenience it may cause. You have our pledge that we will do everything possible to ensure the security and protection of all personal information.
[Evan] I understand what the intent of this communication is, but this is a pledge that cannot be delivered upon. The only way to "do everything possible to ensure the security and protection of all personal information" is to not create it, collect it, store it or transfer it, and this is probably not feasible for Stryker.
Commentary:
This is an excellent breach notification in terms of explaining what happened, how the company responded, and what they are doing to prevent future occurrences. This breach notification was made to the New Hampshire Attorney General because it concerned a potential disclosure of personal information. There was probably little control in place to prevent (or detect) this unauthorized user from accessing all parts of Stryker's information infrastructure, including intellectual property, sales and marketing plans and other company confidential information.
Past Breaches:
Unknown
Date Reported:4/10/08
Organization:
Stryker Corporation
Contractor/Consultant/Branch:
Stryker Instruments
Victims:
Current, former and contracted temporary employees
Number Affected:
Unknown*
*According to , Stryker employed 16,026 people at the end of December, 2007.
Types of Data:
Name and Social Security number
Breach Description:
"On February 18, 2008, Stryker Instruments, a division of Stryker Corporation (collectively, "Stryker"), discovered that an unauthorized user recently gained access to its virtual private network (VPN) multiple times over a period of several months." "One of the servers accessed by the unauthorized user contained a database of Social Security numbers of certain employees in 48 different states and Puerto Rico."
Reference URL:
The New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
On February 18, 2008, Stryker Instruments, a division of Stryker Corporation (collectively, "Stryker"), discovered that an unauthorized user recently gained access to its virtual private network (VPN) multiple times over a period of several months.
[Evan] Sheesh. I can only imagine what damage could have been done with (essentially) local network access.
Stryker immediately disabled the domain administrator service account through which the unauthorized user had accessed the VPN.
[Evan] This and subsequent statements support the implication that a domain (Windows) administrator level account was used by the "unauthorized user". This could be very bad.
It then promptly began investigating the incident and engaged an independent computer forensics investigator to determine the scope of the breach and the identity of the unauthorized user.
[Evan] The identity of the unauthorized user is "administrator" (or something similar), right? In a way yes, but this isn't what they mean.
The investigation revealed that the unauthorized user accessed several Stryker servers and applications.
One of the servers accessed by the unauthorized user contained a database of Social Security numbers of certain employees in 48 different states and Puerto Rico.
Stryker and its computer forensics investigator were unable to conclude whether the database was actually accessed of whether any Social Security numbers were acquired.
Based on the manner in which the user acquired access to Stryker's network and the user's network activity, Stryker believes the unauthorized user is a former employee with prior knowledge of the network.
[Evan] Could this have been a former IT employee that had prior knowledge of administrator account and services passwords? If so, then Stryker may have a serious deficiency in their onboarding/offboarding procedures. Privileged account passwords must be changed when there is a reasonable possibility that someone with knowledge of the privileged account passwords leaves the organization.
Stryker suspects a particular employee, but has been unable to confirm whether that individual is, in fact, the unauthorized user.
On March 4, 2008, Stryker contacted the office of its local U.S. Attorney and the Federal Bureau of Investigation in Kalamazoo, Michigan to inquire whether the FBI would investigate the matter further.
Since the, Stryker has been engaged in informal discussions with the FBI about a potential criminal investigation. Initially, the FBI asked Stryker not to give notice of the security incident, so as not to interfere with its investigation.
But on March 20, 2008, the FBI informed Stryker that based on current information, it would not pursue a criminal investigation.
Stryker will provide a notice of the security incident to each potentially affected employee.
Stryker intends to mail the notice to affected employees on April 10, 2008.
In order to prevent future security breaches of this nature, Stryker took certain action immediately after discovering this breach.
Stryker has discontinued access to the VPN through the domain administrator service accounts.
[Evan] All users must login remotely using their own individual user accounts. A wise decision.
It also performed an audit of its privileged access accounts and eliminate any unnecessary service accounts.
[Evan] User and service account audits should be conducted on a quarterly basis or at least semi-annually. Usually, we recommend more frequent audits in organizations where there is more employee turnover.
Further, it changed the passwords of all service accounts.
[Evan] Changing service passwords is often times a @$%^#! A necessary evil.
Stryker has also implemented a policy to prohibit user password changes via telephone.
[Evan] I wonder why. Password changes via telephone are not really that risky for many organizations, as long as there are proper procedures in place including caller verification.
Stryker also plans to implement a number of additional preventative measures in the coming months. These measures include:
- Developing procedures to ensure that access to Stryker's network will be disabled immediately upon an employee's termination;
- Developing a procedure to review service accounts and change passwords;
- Eliminating potential gaps in Stryker's current internal audit system;
- Requiring two-factor authentication for all remote network access;
- Disabling one of Stryker's existing VPNs and moving all users to a single, more secure VPN; and
- Implementing a system of consolidating and monitoring user log files for potential security breaches.
If you have any questions or believe you may have an identity theft issue, please call ID TheftSmart member services at 1- between 9:00 a.m. and 6:00 p.m. (Eastern Time), Monday through Friday.
In closing, we apologize for this incident and any inconvenience it may cause. You have our pledge that we will do everything possible to ensure the security and protection of all personal information.
[Evan] I understand what the intent of this communication is, but this is a pledge that cannot be delivered upon. The only way to "do everything possible to ensure the security and protection of all personal information" is to not create it, collect it, store it or transfer it, and this is probably not feasible for Stryker.
Commentary:
This is an excellent breach notification in terms of explaining what happened, how the company responded, and what they are doing to prevent future occurrences. This breach notification was made to the New Hampshire Attorney General because it concerned a potential disclosure of personal information. There was probably little control in place to prevent (or detect) this unauthorized user from accessing all parts of Stryker's information infrastructure, including intellectual property, sales and marketing plans and other company confidential information.
Past Breaches:
Unknown
Posted by Evan Francen at 4/17/2008 12:38 PM 
Categories: Poor Business Practice, Intrusion, Stryker Corporation
Categories: Poor Business Practice, Intrusion, Stryker Corporation
Posts Atom 1.0
Comments