Your personal info on the web

It's really been bugging me lately that our personal information is so easily accessible.  We recently had another "almost security incident", and I say almost because we discovered the mistake immediately, rather than someone else discovering it and plastering it across the front page of our local newspaper. 

I work for a state agency and things aren't so high-tech in some areas.  Many state agencies provide information via their websites and with a simple login and password, constituents can obtain a variety of information about themselves or their possessions, depending upon the topic at hand.  I cringe at the lack of security.

In our case, we currently store confidential data that is password protected on an external web server.  Work is under way to move the data off that server, behind a firewall, onto a database server, even as I type.

The proper architecture is: secured web server in the DMZ, talks only to application server behind the firewall on a specific port, which talks to the database server behind another firewall on a specific port.  There's more to it than that, of course, but the norm is to stick everything out on the public server and hope that no one pokes around.  That's just plain dumb, but it's the norm for probably a lot of state agencies.  Why?  Due to lack of funding, and ignorance.  Fortunately, we have fixed the funding problem and have numerous security projects underway, but I don't think most state agencies even know where to begin.

For instance, there are simple rules that even a low budget state agency can follow when it comes to security architecture. 
Rule #1: Do not use Microsoft IIS as an external website server
Rule #2: Do not store databases that contain sensitive information on that same external website server
Rule #3: Do not even think about providing an external website server to anyone unless you have the security and network expertise to sufficiently protect it

These seem so simple and yet these rules are violated every single day.  As a result, we have issues like the one described here:  Chicago Elections Board sued over data breach.  I'm not saying that this organization uses IIS and I'm not saying I know anything about their network or security architecture.  What I'm saying is that you have to get a driver's license to drive a car and meet certain requirements before doing so.  Seems to me that you should have to get a security license to run a website. 

I find that many organizations just throw one up and call it good.  And then to make matters worse, they store confidential information on the website and use a simple login and password mechanism to protect the data.  Let me tell you something.  Recently, I've seen strange things happen with the state's public IIS servers.  One day a directory is password protected and the next day it's not.  Doesn't that scare the bajeebers out of you?

When I read stories like the one above, I am not surprised.  Not surprised at all.  I just shake my head at what goes on.  And yet, I understand it.  Lack of funding and ignorance is to blame.