Guest Blog // Selected Security Content Provided By Sophos
What's This?
10:54 AM
Dark Reading
Dark Reading
Security Insights

We Make Widgets -- Let Someone Else Handle Security

If you're a customer-facing organization, then security can't take second place behind your services

At one time or another, I think we’ve all run up against the idiom about a chain being only as strong as its weakest link. Mostly it’s a trite euphemism used to apply singular blame in the wake of an event that radiates out to many individuals and disrupts the status quo. In business terms, however, left unaddressed the effect of that weakened link, like subtle but powerful aftershocks, can be devastating to the entire organization.

Case in point: I’ve spent my career hoping against all hope that I could make a change in how seriously some of the corporate giants I’ve worked for take the security and integrity of their IT systems. I am nearly convinced (if not thoroughly persuaded), however, that not every business takes either of these seriously enough.

One of the organizations I worked at had IT security issues on a daily basis: viruses, lost devices, stolen data, and intellectual property walking off with recently dismissed employees.

I regularly attempted to draw management's attention to the problem, and the fact that we had all of the software, man power, and will we needed to fix it. All we had to do was adjust our attitude toward the problem.

The reply: "We aren't in the business of IT or security. We make widgets. We maximize investor returns by buying, selling, and trading subsidiaries to create wealth."

Well, I have news for companies that adopt this attitude. It simply isn't true anymore.

This same company spent millions of dollars monthly maintaining its fleet of delivery trucks, the robots in its factories, and even the coffee machines in the breakroom.

We once had an outage due to a power failure at a critical IT facility that cost the organization more than $1 million an hour because robots needed the computers at that facility to tell it what to make. When that's the case, can you afford not to be an IT company?

In this day and age, for an organization to ignore IT security is patently irresponsible. If you really feel that way, perhaps you should take down your website, turn off the Internet connection, and live in a world that matches your fantasy.

What prompted this rant? According to's 2011 yearly report, more than 126 million personally identifiable records were compromised in 369 incidents.

Because most incidents go unreported, those numbers are only the tip of the iceberg. In fact, most jurisdictions don't require organizations to report incidents, so this represents only those that are regulated and those that were "outed."

There are many other, lesser well-publicized but equally potentially compromised-riddled examples -- from customer data and PII being stored or transmitted without encryption, to hard drives on old PCs and phones not being remotely wiped before being tossed in the local landfill, to Web forms with known vulnerabilities -- and companies that don't find out they’ve been the target of a hacker for the past six month.

It is time to recognize that the Internet is a utility and your computers are a property that you have an “obligation” to properly maintain for the safe operation of most businesses.

A perfect example of not learning or apparently caring about security very much is While it has finally revised its password reset process, it clearly has not embraced protecting your information. was compromised in December 2010 and had more than 17 million user IDs and passwords stolen, all of which appear to have been stored in plain text. It even offered to email you your password.

Any organization that can return existing passwords to a customer is not even trying to securely store them. I checked out its site today to determine whether it had learned any lessons from the breach. While it will no longer send your password when you attempt to reset (Good!), it let me choose a password of "password" when I created my account.

Strangely, when I then tested out the password reset process, it insisted on an eight-character password that had to contain a numeral (which arguably lowers the entropy). Note that my prior password of "password" clearly hadn't been held to this standard. Requiring password complexity in only some circumstances and not others is pointless.

It is unclear whether the passwords are now securely stored, but it almost doesn't matter. Its Web server supports HTTPS, but as soon as you click a link like "Login" or "Join," it reverts to an unencrypted connection.

Yes, everything you enter into the form fields, including your user ID, birth date, password, and personal group preferences, like NAACP, GLBT Rights, Pagans, and Planned Parenthood, are transmitted in plain text and easily intercepted on public Wi-Fi.

On the other hand, you have Stratfor. I contacted TRUSTe for comment, but it had not yet returned my call after more than a week.

While it didn't learn from others' mistakes, it took the site down until it could safely bring it back online. George Friedman, its CEO, took full responsibility, even stating, "That's not a justification. It's simply an explanation."

If you work for one of the companies with this malady, then please speak up. Make it an issue -- and don't let it be swept under a carpet. Make sure your management is aware of what has happened to others in your industry, and make recommendations that can mitigate the risk.

While Stratfor may have lost information on 850,000-plus accounts, Care2 lost almost 18 million and has still not embraced fixing the type of problems that led to its compromise to begin with.

All of us have a role to play in a more secure Internet, and it's high time we admit we have a problem and get on with fixing the issues as quickly as possible.

It’s about not being silent when you know there’s a problem, but to stand firm -- to continually push for change and in, all cases, always keeping the customer at the head of the line.

The bottom line is whether you produce widgets or the next product destined for the next great Hype Cycle, if your company has customer information, takes credit cards, or has computers that use passwords, then IT security is, in fact, your business.

Chester Wisniewski is a senior security adviser at Sophos Canada

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/19/2012 | 7:49:03 PM
re: We Make Widgets -- Let Someone Else Handle Security
We have an opportunity to step up as security professionals in serving a stronger role in IT leadership.- It is time for us to be change managers. As you point out - "ItGs about not being silent when you know thereGs a problem, but to stand firm -- to continually push for change and in, all cases, always keeping the customer at the head of the line".- This is a call for action to act as a change catalyst in bringing new tools, skills, processes, and accountability to IT.- This is bigger than IT leadership or business leadership, it is bigger than secuirty best practices. It is and IT has to become about securing the business. It is about survival of the business.- We are amidst times where decades of customer loyalty will dissipate in moments if swarms of customers feel we have not managed THEIR data and if we failed being stewards of sensitive data!-

I think we must overcome our individual fears about career limiting moves and we should start to educate management on security metrics.- What is measured is done!- Managers must be open, they should allow, encourage and faciliate hearing the voice of infosec people on their teams.- Initially they should ask - Where are my security defects and vulnerabilities?- How many incidents did we manage on a daily weekly montlhy basis?-

When we started our software development maturity journey twenty years ago - we would measure the presence of defects in software.- In the 1980s Jack Hancock at Chemical Bank, Carnegie Mellon, Standish Group started to address why software projects fail.- A software defect at requirements stage cost $26 to fix, the same bug might cost $1250 during testing stages.- We need to adopt a similar security measurements mindset in developing reports for managers and customers on threats we see and remedy.

Lastly, I have a dream or desire that one day future business leaders like CEOs will not be picked from CFO or marketing or sales ranks - but will be sought from CSO, CISO ranks to ensure that companies make secure widgets with infosec practices within.
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.