You are on page 1of 1

Lewis-Palmer School District

2016 Security Incident


Applied Trust Incident Review
Upon review of the authentication logs from the application, the only IP address that logged into multiple accounts was from a
user that was given credentials by another user.
A vulnerability was found due to an unintentional information disclosure from another application that was being tested
(Google Apps). The student ID numbers were present in the all contacts view of the Google application. This combined
with the knowledge that student passwords for the other application were typically tied to the birthdate for the first login,
could have provided access for an unauthorized user to log into an account.
Mitigation
The school was notified of the security vulnerability and the information disclosure. Following best practice, the application
was immediately taken offline from the public internet. The school is currently implementing updates to the application and
authentication to insure that student passwords are updated and a policy to force password changes is being implemented for
all applications.
While this incident did highlight a flaw in the management of the user account authentication. It was not used maliciously and
the student accounts were not modified or deleted by any unauthorized user. No evidence of other student accounts show
any compromise. The information disclosure was not made public and information needed to compromise the account would
have to have come from multiple sources.

_______________________________________________________________________________________________________________________
Page 1 of 1
2016-08-19

You might also like