Perimeter
Guest Blog // Selected Security Content Provided By Sophos
What's This?
1/20/2012
10:54 AM
Dark Reading
Dark Reading
Security Insights
50%
50%

We Make Widgets -- Let Someone Else Handle Security

If you're a customer-facing organization, then security can't take second place behind your services

At one time or another, I think we’ve all run up against the idiom about a chain being only as strong as its weakest link. Mostly it’s a trite euphemism used to apply singular blame in the wake of an event that radiates out to many individuals and disrupts the status quo. In business terms, however, left unaddressed the effect of that weakened link, like subtle but powerful aftershocks, can be devastating to the entire organization.

Case in point: I’ve spent my career hoping against all hope that I could make a change in how seriously some of the corporate giants I’ve worked for take the security and integrity of their IT systems. I am nearly convinced (if not thoroughly persuaded), however, that not every business takes either of these seriously enough.

One of the organizations I worked at had IT security issues on a daily basis: viruses, lost devices, stolen data, and intellectual property walking off with recently dismissed employees.

I regularly attempted to draw management's attention to the problem, and the fact that we had all of the software, man power, and will we needed to fix it. All we had to do was adjust our attitude toward the problem.

The reply: "We aren't in the business of IT or security. We make widgets. We maximize investor returns by buying, selling, and trading subsidiaries to create wealth."

Well, I have news for companies that adopt this attitude. It simply isn't true anymore.

This same company spent millions of dollars monthly maintaining its fleet of delivery trucks, the robots in its factories, and even the coffee machines in the breakroom.

We once had an outage due to a power failure at a critical IT facility that cost the organization more than $1 million an hour because robots needed the computers at that facility to tell it what to make. When that's the case, can you afford not to be an IT company?

In this day and age, for an organization to ignore IT security is patently irresponsible. If you really feel that way, perhaps you should take down your website, turn off the Internet connection, and live in a world that matches your fantasy.

What prompted this rant? According to datalossdb.org's 2011 yearly report, more than 126 million personally identifiable records were compromised in 369 incidents.

Because most incidents go unreported, those numbers are only the tip of the iceberg. In fact, most jurisdictions don't require organizations to report incidents, so this represents only those that are regulated and those that were "outed."

There are many other, lesser well-publicized but equally potentially compromised-riddled examples -- from customer data and PII being stored or transmitted without encryption, to hard drives on old PCs and phones not being remotely wiped before being tossed in the local landfill, to Web forms with known vulnerabilities -- and companies that don't find out they’ve been the target of a hacker for the past six month.

It is time to recognize that the Internet is a utility and your computers are a property that you have an “obligation” to properly maintain for the safe operation of most businesses.

A perfect example of not learning or apparently caring about security very much is Care2.com. While it has finally revised its password reset process, it clearly has not embraced protecting your information.

Care2.com was compromised in December 2010 and had more than 17 million user IDs and passwords stolen, all of which appear to have been stored in plain text. It even offered to email you your password.

Any organization that can return existing passwords to a customer is not even trying to securely store them. I checked out its site today to determine whether it had learned any lessons from the breach. While it will no longer send your password when you attempt to reset (Good!), it let me choose a password of "password" when I created my account.

Strangely, when I then tested out the password reset process, it insisted on an eight-character password that had to contain a numeral (which arguably lowers the entropy). Note that my prior password of "password" clearly hadn't been held to this standard. Requiring password complexity in only some circumstances and not others is pointless.

It is unclear whether the passwords are now securely stored, but it almost doesn't matter. Its Web server supports HTTPS, but as soon as you click a link like "Login" or "Join," it reverts to an unencrypted connection.

Yes, everything you enter into the form fields, including your user ID, birth date, password, and personal group preferences, like NAACP, GLBT Rights, Pagans, and Planned Parenthood, are transmitted in plain text and easily intercepted on public Wi-Fi.

On the other hand, you have Stratfor. I contacted TRUSTe for comment, but it had not yet returned my call after more than a week.

While it didn't learn from others' mistakes, it took the site down until it could safely bring it back online. George Friedman, its CEO, took full responsibility, even stating, "That's not a justification. It's simply an explanation."

If you work for one of the companies with this malady, then please speak up. Make it an issue -- and don't let it be swept under a carpet. Make sure your management is aware of what has happened to others in your industry, and make recommendations that can mitigate the risk.

While Stratfor may have lost information on 850,000-plus accounts, Care2 lost almost 18 million and has still not embraced fixing the type of problems that led to its compromise to begin with.

All of us have a role to play in a more secure Internet, and it's high time we admit we have a problem and get on with fixing the issues as quickly as possible.

It’s about not being silent when you know there’s a problem, but to stand firm -- to continually push for change and in, all cases, always keeping the customer at the head of the line.

The bottom line is whether you produce widgets or the next product destined for the next great Hype Cycle, if your company has customer information, takes credit cards, or has computers that use passwords, then IT security is, in fact, your business.

Chester Wisniewski is a senior security adviser at Sophos Canada

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
rsodhi945
50%
50%
rsodhi945,
User Rank: Apprentice
2/19/2012 | 7:49:03 PM
re: We Make Widgets -- Let Someone Else Handle Security
We have an opportunity to step up as security professionals in serving a stronger role in IT leadership.-á It is time for us to be change managers. As you point out - "ItGÇÖs about not being silent when you know thereGÇÖs a problem, but to stand firm -- to continually push for change and in, all cases, always keeping the customer at the head of the line".-á This is a call for action to act as a change catalyst in bringing new tools, skills, processes, and accountability to IT.-á This is bigger than IT leadership or business leadership, it is bigger than secuirty best practices. It is and IT has to become about securing the business. It is about survival of the business.-á We are amidst times where decades of customer loyalty will dissipate in moments if swarms of customers feel we have not managed THEIR data and if we failed being stewards of sensitive data!-á

I think we must overcome our individual fears about career limiting moves and we should start to educate management on security metrics.-á What is measured is done!-á Managers must be open, they should allow, encourage and faciliate hearing the voice of infosec people on their teams.-á Initially they should ask - Where are my security defects and vulnerabilities?-á How many incidents did we manage on a daily weekly montlhy basis?-á

When we started our software development maturity journey twenty years ago - we would measure the presence of defects in software.-á In the 1980s Jack Hancock at Chemical Bank, Carnegie Mellon, Standish Group started to address why software projects fail.-á A software defect at requirements stage cost $26 to fix, the same bug might cost $1250 during testing stages.-á We need to adopt a similar security measurements mindset in developing reports for managers and customers on threats we see and remedy.

Lastly, I have a dream or desire that one day future business leaders like CEOs will not be picked from CFO or marketing or sales ranks - but will be sought from CSO, CISO ranks to ensure that companies make secure widgets with infosec practices within.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3580
Published: 2014-12-18
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist.

CVE-2014-6076
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allow remote attackers to conduct clickjacking attacks via a crafted web site.

CVE-2014-6077
Published: 2014-12-18
Cross-site request forgery (CSRF) vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

CVE-2014-6078
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not have a lockout period after invalid login attempts, which makes it easier for remote attackers to obtain admin access via a brute-force attack.

CVE-2014-6080
Published: 2014-12-18
SQL injection vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.