01:23 PM

LinkedIn Defends Security Practices, Leadership

Social network details info security lines of authority after being criticized for lacking a chief security officer.

Who Is Anonymous: 10 Key Facts
Who Is Anonymous: 10 Key Facts
(click image for larger view and for slideshow)
Did LinkedIn drop the ball on information security?

In the wake of a breach of LinkedIn users' passwords that first came to light last week--after a subset of those passwords were uploaded to an online password-cracking forum--security pundits have been asking how much LinkedIn's business practices might have been at fault.

Multiple commentators have noted the absence of a chief security officer (CSO) or chief information security officer (CISO) on the LinkedIn organizational chart, with some inferring that the breach could thus be traced to a "lax security" attitude at the social network, because "no one was responsible for IT security," according to TechWireAsia.

[ Beef up your passwords. Read 7 Tips To Toughen Passwords. ]

But LinkedIn has defended its security posture and response to the breach, noting that after the password theft came to light early last week, by Thursday it had disabled the passwords on all accounts that were known to have been compromised by attackers. "At this time, there have been no reports of compromised LinkedIn accounts as a result of this password theft," according to a Tuesday LinkedIn blog post, which further noted that the company was "continuing to work with law enforcement as they investigate this crime."

LinkedIn said it's also already put stronger password protection in place. "The LinkedIn technology team has completed a long-planned transition from a password database system that hashed passwords--i.e. provided one layer of encoding--to a system that both hashes and salts the passwords--i.e. provides an extra layer of protection," according to the company's blog post. It also suggested that the company was pursuing further security enhancements, though declined to detail them.

In terms of security oversight, a story released Friday reported that two people at the company were responsible for security. But LinkedIn said that there had been a misunderstanding with the reporter, and later in the day reached out to correct the record, noting that David Henke, the company's senior VP of operations, is solely in charge of security. Henke's LinkedIn profile lists his responsibilities as being the company's "production operations, IT, data systems, security."

Since then, the company has been defending its security credentials, noting that "its "technology team includes world-class security experts," according to the company's Tuesday blog post. "This team includes Ganesh Krishnan, the company's security czar, who previously served as vice president and chief information security officer at Yahoo! Inc. He and the entire security function at LinkedIn reports to senior vice president of operations David Henke," whose LinkedIn profile names his responsibilities as overseeing the company's "production operations, IT, data systems, security." According to Krishnan's LinkedIn profile, meanwhile, he heads LinkedIn's technology center in India. In other words, LinkedIn's head of security, based in India, reports to its head of operations, who's based in California.

LinkedIn said that the absence of a CSO or CISO label on the org chart reflects only the company's job-naming conventions, rather than its security posture. "LinkedIn historically has limited C-level titles only to its chief executive officer and chief financial officer, so while Krishnan does not formally have the title of chief information security officer, that is the role he has played at the company since his hiring in 2010," according to the LinkedIn statement.

But should one employee be in charge of not just security operations, but also IT? Conversely, in the case of LinkedIn, does Krishnan--the company's security czar--report to a suitably senior member of the company?

In general, said Patricia Titus, VP and CISO of Symantec--after referencing "glass houses" and noting that the LinkedIn password breach could have happened to anyone--many businesses see security as "an expensive add-on" and end up not paying sufficient attention to it. "So they'll dual-hat their IT director and say he's also doing IT security. And in some organizations--I call it the pile-on--they also pile the chief privacy officer (CPO) responsibilities onto the CIO or CISO role."

"So you end up with three titles, and it makes them very thin when it comes to achieving success with any one of those responsibilities," said Titus, speaking by phone.

Social media companies often face these types of security challenges, simply because they grow so quickly. "If it takes five years to evolve your way up to a billion-dollar valuation, then it gives you time to ramp up your growth--yes, we'll hire a security person and put them in," said Tom Patterson, practice director for the commercial security division of consultancy CSC, via phone. "But if it happens overnight, it's going to take time to catch up."

Symantec's Titus, however, noted that many organizations do have a senior-level CSO or CISO, even if that's not their official job title. Other organizations, meanwhile, will typically have at least someone in the CIO's group who's in charge of security, "albeit it's often buried down three layers," she said. For reference, Titus said she reports directly to Symantec president and CEO Enrique Salem.

What's the problem with having a head of security who's buried inside the IT group? "Levels of responsibility, authority and funding are critical to the success of that [security] group," said Titus, who's previously served as the CISO of Unisys, as well as the Department of Homeland Security's Transportation Security Administration. In other words, the position--or lack thereof--of the security chief on the organizational chart can signal the seriousness that an organization is devoting to its security program.

Accordingly, in the wake of the LinkedIn breach, every CEO and board member should be asking not just who's in charge of their information security program, but whether they have sufficient power. For example, a survey commissioned by security vendor CORE Security and conducted by Research Now in April found that in many businesses, CEOs often don't communicate frequently with whoever's in charge of their security program. According to the 100 CEOs and 100 CSOs or other heads of security surveyed, in about one-third of companies, CEOs never receive updates on their company's security posture from the CISO, while in 27% of businesses, CEOs only get updates on a "somewhat regular" basis.

In other words, executives at many companies--not just LinkedIn, eHarmony, or, all of which experienced password breaches that came to light last week--could stand to sharpen their security practices.

"In the past few days, I've had a lot of meetings with CEOs and mentioned the LinkedIn breach, and I say, if you were silly enough to reuse your password, attackers are combing through the records to see if the password also works for your bank," said CSC's Patterson. "Immediately, the meeting stops and these very high-profile executives leave the room and come back 20 minutes later and say, sorry, I had to change my bank password."

Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity Dark Reading supplement shows how to strengthen them. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Tell the sysadmin that we have a situation.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.