01:23 PM

LinkedIn Defends Security Practices, Leadership

Social network details info security lines of authority after being criticized for lacking a chief security officer.

Who Is Anonymous: 10 Key Facts
Who Is Anonymous: 10 Key Facts
(click image for larger view and for slideshow)
Did LinkedIn drop the ball on information security?

In the wake of a breach of LinkedIn users' passwords that first came to light last week--after a subset of those passwords were uploaded to an online password-cracking forum--security pundits have been asking how much LinkedIn's business practices might have been at fault.

Multiple commentators have noted the absence of a chief security officer (CSO) or chief information security officer (CISO) on the LinkedIn organizational chart, with some inferring that the breach could thus be traced to a "lax security" attitude at the social network, because "no one was responsible for IT security," according to TechWireAsia.

[ Beef up your passwords. Read 7 Tips To Toughen Passwords. ]

But LinkedIn has defended its security posture and response to the breach, noting that after the password theft came to light early last week, by Thursday it had disabled the passwords on all accounts that were known to have been compromised by attackers. "At this time, there have been no reports of compromised LinkedIn accounts as a result of this password theft," according to a Tuesday LinkedIn blog post, which further noted that the company was "continuing to work with law enforcement as they investigate this crime."

LinkedIn said it's also already put stronger password protection in place. "The LinkedIn technology team has completed a long-planned transition from a password database system that hashed passwords--i.e. provided one layer of encoding--to a system that both hashes and salts the passwords--i.e. provides an extra layer of protection," according to the company's blog post. It also suggested that the company was pursuing further security enhancements, though declined to detail them.

In terms of security oversight, a story released Friday reported that two people at the company were responsible for security. But LinkedIn said that there had been a misunderstanding with the reporter, and later in the day reached out to correct the record, noting that David Henke, the company's senior VP of operations, is solely in charge of security. Henke's LinkedIn profile lists his responsibilities as being the company's "production operations, IT, data systems, security."

Since then, the company has been defending its security credentials, noting that "its "technology team includes world-class security experts," according to the company's Tuesday blog post. "This team includes Ganesh Krishnan, the company's security czar, who previously served as vice president and chief information security officer at Yahoo! Inc. He and the entire security function at LinkedIn reports to senior vice president of operations David Henke," whose LinkedIn profile names his responsibilities as overseeing the company's "production operations, IT, data systems, security." According to Krishnan's LinkedIn profile, meanwhile, he heads LinkedIn's technology center in India. In other words, LinkedIn's head of security, based in India, reports to its head of operations, who's based in California.

LinkedIn said that the absence of a CSO or CISO label on the org chart reflects only the company's job-naming conventions, rather than its security posture. "LinkedIn historically has limited C-level titles only to its chief executive officer and chief financial officer, so while Krishnan does not formally have the title of chief information security officer, that is the role he has played at the company since his hiring in 2010," according to the LinkedIn statement.

But should one employee be in charge of not just security operations, but also IT? Conversely, in the case of LinkedIn, does Krishnan--the company's security czar--report to a suitably senior member of the company?

In general, said Patricia Titus, VP and CISO of Symantec--after referencing "glass houses" and noting that the LinkedIn password breach could have happened to anyone--many businesses see security as "an expensive add-on" and end up not paying sufficient attention to it. "So they'll dual-hat their IT director and say he's also doing IT security. And in some organizations--I call it the pile-on--they also pile the chief privacy officer (CPO) responsibilities onto the CIO or CISO role."

"So you end up with three titles, and it makes them very thin when it comes to achieving success with any one of those responsibilities," said Titus, speaking by phone.

Social media companies often face these types of security challenges, simply because they grow so quickly. "If it takes five years to evolve your way up to a billion-dollar valuation, then it gives you time to ramp up your growth--yes, we'll hire a security person and put them in," said Tom Patterson, practice director for the commercial security division of consultancy CSC, via phone. "But if it happens overnight, it's going to take time to catch up."

Symantec's Titus, however, noted that many organizations do have a senior-level CSO or CISO, even if that's not their official job title. Other organizations, meanwhile, will typically have at least someone in the CIO's group who's in charge of security, "albeit it's often buried down three layers," she said. For reference, Titus said she reports directly to Symantec president and CEO Enrique Salem.

What's the problem with having a head of security who's buried inside the IT group? "Levels of responsibility, authority and funding are critical to the success of that [security] group," said Titus, who's previously served as the CISO of Unisys, as well as the Department of Homeland Security's Transportation Security Administration. In other words, the position--or lack thereof--of the security chief on the organizational chart can signal the seriousness that an organization is devoting to its security program.

Accordingly, in the wake of the LinkedIn breach, every CEO and board member should be asking not just who's in charge of their information security program, but whether they have sufficient power. For example, a survey commissioned by security vendor CORE Security and conducted by Research Now in April found that in many businesses, CEOs often don't communicate frequently with whoever's in charge of their security program. According to the 100 CEOs and 100 CSOs or other heads of security surveyed, in about one-third of companies, CEOs never receive updates on their company's security posture from the CISO, while in 27% of businesses, CEOs only get updates on a "somewhat regular" basis.

In other words, executives at many companies--not just LinkedIn, eHarmony, or, all of which experienced password breaches that came to light last week--could stand to sharpen their security practices.

"In the past few days, I've had a lot of meetings with CEOs and mentioned the LinkedIn breach, and I say, if you were silly enough to reuse your password, attackers are combing through the records to see if the password also works for your bank," said CSC's Patterson. "Immediately, the meeting stops and these very high-profile executives leave the room and come back 20 minutes later and say, sorry, I had to change my bank password."

Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity Dark Reading supplement shows how to strengthen them. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-12-25
The CmdAuthenticate::_authenticateX509 function in db/commands/authentication_commands.cpp in mongod in MongoDB 2.6.x before 2.6.2 allows remote attackers to cause a denial of service (daemon crash) by attempting authentication with an invalid X.509 client certificate.

Published: 2014-12-25
The Crumb plugin before 3.0.0 for Node.js does not properly restrict token access in situations where a hapi route handler has CORS enabled, which allows remote attackers to obtain sensitive information, and potentially obtain the ability to spoof requests to non-CORS routes, via a crafted web site ...

Published: 2014-12-24
The expand function in fio.c in Heirloom mailx 12.5 and earlier and BSD mailx 8.1.2 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in an email address.

Published: 2014-12-24
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshak...

Published: 2014-12-24
drivers/misc/qseecom.c in the QSEECOM driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not validate certain offset, length, and base values within an ioctl call, which allows attackers to gain privileges or c...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.