Mark Nagiel's first task as the new vice president of IT at InCharge Institute of America was to conduct a security audit. He found that the company had done a good job securing its perimeter, guarding information in its databases, tracking intrusion activities, and educating employees on key security issues. But he also discovered some gaping holes in the financial consulting firm's defenses.
Turns out data was flowing over the companys port 80, which is used for Web traffic, as well as over port 443, which supports Secure Sockets Layer information. And some of InCharge's internally developed applications hadn't been properly bulletproofed.
InCharge, a nonprofit focused mainly on supplying credit counseling and debt management advice to consumers through its InCharge Debt Solutions program, has more custom application development than many other organizations because its business is so multi-faceted. It has several offshoot businesses, including Brightscore.com, which helps clients monitor and examine up-to-date credit information, and the InCharge Educational Foundation, which offers educational products and services so individuals understand their personal financial needs.
Sealing up InCharge's newfound security holes was important because the company, which has 50,000 to 100,000 customers in various stages of rectifying their credit problems, deals with sensitive personal information such as credit card and Social Security numbers. Because it works with financial data, the nonprofit also must comply with various data security regulations for the privacy and the protection of a persons financial data. We are treated differently in almost every state, ranging from states where there is no regulatory control to New York where we are audited on annual basis, just like Bank of America, Nagiel says.
Nagiel didn't just take his own word for potential problems in the company's security architecture -- he hired a third-party consulting firm to probe the weak spots as well. The firm found cross-site scripting, cookie poisoning, SQL/OS injection, as well as the open port 80 and port 443 vulnerabilities. Although these flaws hadn't led to any data being compromised, they were found in some of the companys applications.
InCharge, with the help of the consultants, ended up selecting F5 Networks's BIG-IP Application Security Manager (ASM) to remedy its security weaknesses. One appealing feature, according to the company, was the auto-adaptive approach where the system passively monitors traffic patterns, identifies where changes need to be made, and updates security policies based on the observed traffic patterns.
The financial services company got the BIG-IP ASM up and running quickly in late 2005, but the more challenging step was revamping the companys application development processes, Nagiel says. It was difficult for the nonprofit's software engineers to adapt to building their applications with security in mind.
Today, new software releases and upgrades include tighter security checks. And InCharge's IT systems have a better security reputation now. Each year, the Credit Bureau audits InCharges business processes: The first year, they spent time examining our DMZ, Nagiel says. After we implemented ASM, they spent no time there because they felt the F5 system enabled us to close up any possible vulnerability.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.