I read in the latest SANS NewsBites that UC San Diego suffered another intrusion in November 2004, jeopardizing the personal information of about 3,500 people who had taken courses at UCSD Extension. This incident follows a well-publicized intrusion in April 2004 putting at risk personal data on 380,000 people. In both cases UC appears to have caught unstructured threats, as each intruder used the systems as warez depositories for pirated movies and music.
I was shocked by this claim concerning the latest intrusion:
"Officials said it took two months to notify those who were affected because officials first needed to determine the extent of the breach."
This is exactly why I promote network security monitoring as a means to rapidly scope the extent of intrusions. First, generating indicators and warnings in the form of alert data (usually from IDSs) and statistical data gives security professionals a good chance of identifying an intrusion as it happens or shortly thereafter. I would bet the University saw an increase in traffic when its systems began hosting warez. Second, collecting session and full content data would give the University a chance to inspect data not tied to IDS alerts. Third, all of this information could potentially describe the intruder's activities, and validate if he or she stole sensitive personal information.