Commentary Sophos Labs Insights
We Make Widgets -- Let Someone Else Handle Security
If you're a customer-facing organization, then security can't take second place behind your services
At one time or another, I think we’ve all run up against the idiom about a chain being only as strong as its weakest link. Mostly it’s a trite euphemism used to apply singular blame in the wake of an event that radiates out to many individuals and disrupts the status quo. In business terms, however, left unaddressed the effect of that weakened link, like subtle but powerful aftershocks, can be devastating to the entire organization.
Case in point: I’ve spent my career hoping against all hope that I could make a change in how seriously some of the corporate giants I’ve worked for take the security and integrity of their IT systems. I am nearly convinced (if not thoroughly persuaded), however, that not every business takes either of these seriously enough.
One of the organizations I worked at had IT security issues on a daily basis: viruses, lost devices, stolen data, and intellectual property walking off with recently dismissed employees.
I regularly attempted to draw management's attention to the problem, and the fact that we had all of the software, man power, and will we needed to fix it. All we had to do was adjust our attitude toward the problem.
The reply: "We aren't in the business of IT or security. We make widgets. We maximize investor returns by buying, selling, and trading subsidiaries to create wealth."
Well, I have news for companies that adopt this attitude. It simply isn't true anymore.
This same company spent millions of dollars monthly maintaining its fleet of delivery trucks, the robots in its factories, and even the coffee machines in the breakroom.
We once had an outage due to a power failure at a critical IT facility that cost the organization more than $1 million an hour because robots needed the computers at that facility to tell it what to make. When that's the case, can you afford not to be an IT company?
In this day and age, for an organization to ignore IT security is patently irresponsible. If you really feel that way, perhaps you should take down your website, turn off the Internet connection, and live in a world that matches your fantasy.
What prompted this rant? According to datalossdb.org's 2011 yearly report, more than 126 million personally identifiable records were compromised in 369 incidents.
Because most incidents go unreported, those numbers are only the tip of the iceberg. In fact, most jurisdictions don't require organizations to report incidents, so this represents only those that are regulated and those that were "outed."
There are many other, lesser well-publicized but equally potentially compromised-riddled examples -- from customer data and PII being stored or transmitted without encryption, to hard drives on old PCs and phones not being remotely wiped before being tossed in the local landfill, to Web forms with known vulnerabilities -- and companies that don't find out they’ve been the target of a hacker for the past six month.
It is time to recognize that the Internet is a utility and your computers are a property that you have an “obligation” to properly maintain for the safe operation of most businesses.
A perfect example of not learning or apparently caring about security very much is Care2.com. While it has finally revised its password reset process, it clearly has not embraced protecting your information.
Care2.com was compromised in December 2010 and had more than 17 million user IDs and passwords stolen, all of which appear to have been stored in plain text. It even offered to email you your password.
Any organization that can return existing passwords to a customer is not even trying to securely store them. I checked out its site today to determine whether it had learned any lessons from the breach. While it will no longer send your password when you attempt to reset (Good!), it let me choose a password of "password" when I created my account.
Strangely, when I then tested out the password reset process, it insisted on an eight-character password that had to contain a numeral (which arguably lowers the entropy). Note that my prior password of "password" clearly hadn't been held to this standard. Requiring password complexity in only some circumstances and not others is pointless.
It is unclear whether the passwords are now securely stored, but it almost doesn't matter. Its Web server supports HTTPS, but as soon as you click a link like "Login" or "Join," it reverts to an unencrypted connection.
Yes, everything you enter into the form fields, including your user ID, birth date, password, and personal group preferences, like NAACP, GLBT Rights, Pagans, and Planned Parenthood, are transmitted in plain text and easily intercepted on public Wi-Fi.
On the other hand, you have Stratfor. I contacted TRUSTe for comment, but it had not yet returned my call after more than a week.
While it didn't learn from others' mistakes, it took the site down until it could safely bring it back online. George Friedman, its CEO, took full responsibility, even stating, "That's not a justification. It's simply an explanation."
If you work for one of the companies with this malady, then please speak up. Make it an issue -- and don't let it be swept under a carpet. Make sure your management is aware of what has happened to others in your industry, and make recommendations that can mitigate the risk.
While Stratfor may have lost information on 850,000-plus accounts, Care2 lost almost 18 million and has still not embraced fixing the type of problems that led to its compromise to begin with.
All of us have a role to play in a more secure Internet, and it's high time we admit we have a problem and get on with fixing the issues as quickly as possible.
It’s about not being silent when you know there’s a problem, but to stand firm -- to continually push for change and in, all cases, always keeping the customer at the head of the line.
The bottom line is whether you produce widgets or the next product destined for the next great Hype Cycle, if your company has customer information, takes credit cards, or has computers that use passwords, then IT security is, in fact, your business.
Chester Wisniewski is a senior security adviser at Sophos Canada