It was a little more than a year ago that a software breach brought a hacker within a few clicks of the personal information of thousands of West Vancouverites.
The keyboard bandit targeted MyDistrict - a municipal service website residents use to pay bills and apply for licences - but failed to snag any personal information.
Since the hack, West Vancouver spent approximately $115,000 to update MyDistrict and prevent a repeat of the breach.
"It was a major event for us," said West Vancouver communications director Jeff McDonald, discussing MyDistrict's 6,100 users. "We are being required to dedicate more and more resources to security than before."
Those resources include $80,000 to hire a full-time network security analyst. The district spent $17,000 for high-security patching last year and also forks over a monthly tab of $660 for security monitoring to identify vulnerabilities, "before they become incidents," McDonald said.
While the district's response to the breach was reasonable, their security measures prior to the incident were negligent, according to information security expert and MyDistrict user George Pajari.
"The fact that they got hit indicates a woeful lack of knowledge of their responsibilities to protect this information," Pajari said. "In my professional opinion, it could have been foreseen, it could have been prevented and it was incompetence."
The district was running an unsupported version of the software without current patches and didn't know to set notifications for when new patches were available, according to Pajari.
The hacker never would have been able to zero in on MyDistrict's Achilles heel if West Vancouver had received an update for its ColdFusion software, according to Pajari.
Adobe, the company that developed ColdFusion, identified a vulnerability with the software and offered a security patch on July 9, 2013 - 13 days before the district shut down its server amid security concerns.
The district now uses a real-time monitor with Adobe so ColdFusion updates "happen immediately," according to McDonald.
An audit of the server following the breach uncovered no evidence personal information had been touched, but Pajari remains unconvinced. Because the server overwrites space and deletes files, certitude is impossible,
according to Pajari.
"They can't be sure because by the time they finally got around to bringing in the forensic experts, some of the evidence had been deleted," he said. "If they had been able to shut it down sooner after the breach, they might have captured more information."
The motivation of the hacker - who was likely located in Europe based on Internet protocol address - remains unknown.
A scan revealed several unsuccessful attempts to upload files to the district's server, which is consistent with a spammer or a hacker phishing for banking information, according to McDonald.
The district is regularly refining its online defences, explained McDonald "Security is ongoing. I don't know if it ever ends," he said. "A website that provides services to residents is tremendously useful in many ways, but it's also a point of entry for people bent on doing potentially bad things."
All production systems run a risk of being breached by a hacker who has enough money, time and expertise, according to Pajari.
However, the MyDistrict breach was not the result of a concentrated attack.
"This was an opportunistic, drive-by attack that was successful because the systems were not properly maintained," he said.
Anyone entrusted with online security should expect any single defence to be breached, according to Pajari, who likened multiple security barriers to the defences surrounding a castle. "You have the high walls, you have the moat, and you have the locked door," he said.
Likewise, MyDistrict should be outfitted with firewalls between computer systems, patching, and log monitoring to catch the footprints of any hacking attempt, according to Pajari.
