Over the past few weeks I’ve run across, either personally or via press, case after case of companies with poor security practices. These aren’t small shops like Bob’s Bait and eCommerce site, rather big brand name organizations that have sophisticated security practices. So why do these things continue to happen?
Let me walk through some examples first. A fairly large regional credit union asked me to submit some paperwork for a mortgage loan….via email. I reached out to the security department, introduced myself, let them know of the request, and they had those instructions removed from the site that day. Took the situation very seriously, and I still would do business with them.
A major bank decided, without a request, or authorization, to start sending email notifications of credit card payment’s being due, including last four of the account, balance due, and credit limit, all of which are sensitive. This is the same company that continually does a soft pull of credit scores to put on the bills – again, it’s opt-out instead of opt-in. I reached out through their public contact info, heard no response, and closed my account a week later.
Press reports this week talk about a large telco provider that uses a default PIN on accounts of 0000 to ‘secure’ them. They are ‘working on it’. Fortunately that line of business has widespread competition, but in other areas they have monopoly control. I could probably cite dozens of reports of common default credentials.
There was another report of a social media site exploiting user information for profit, via a free analytics kit embedded into applications. Why anyone is surprised is beyond me. There’s no such thing as a free puppy, or social media site.
A number of password management software vendors badly muffed the PR response to the recent report of credential harvesting from direct memory attacks. Technically they’re right – the machine has to be compromised for the attack to work, but from a PR standpoint it’s a bad situation. They build their company on trust, and customers feel as if that’s been broken. I still use the software, but then again, I’d read the security paper, so this wasn’t a surprise to me.
An ecommerce site reported a loss of credit card information when their shopping cart software – which was out of date – was hacked. There’s a new thunderbolt attack that can dump memory. Companies continue to produce public computers where people can enter sensitive information (think hotel business centers and all those tablets in the airport). And there’s dozens of companies, including some of the world’s largest brokerage firms, still relying on mother’s maiden name, last four of SSN, or other easily discoverable/guessed alternate authentication schemes.
In many cases, to paraphrase Ian Malcom from Jurassic Park , these companies are focused more on how they ‘could’ rather than if they ‘should’. I’m sure that some marketing person thought it would be cool to proactively provide credit scores, balances, and credit limits, and didn’t bother to ask anyone in the security or privacy departments if they should – or how to do it safely. The telco provider, I’m sure, made that decision by the support and account people who were more worried about account recovery challenges than account takeover attacks. They are paid on minimizing call center costs, so optimized for their own interests over that of the customers.
Both those tie with previous articles, from having the CISO report to the CEO or CRO instead of the CIO – so that they are a peer of the business, rather than subordinate to a service organization, to pushing not just internal security awareness, but also productsecurity awareness throughout the business. But even when training occurs, without a formal multi-stakeholder risk management workflow, people will focus only on their immediate scope.
The most insidious reason though is inertia. They’ve asked for mother’s maiden name since the beginning of time, and continue to do so because no on pushes change. They don’t patch criticial vulnerabilities, because ‘the system works’. They don’t upgrade to the new OS because it requires a hardware refresh. In some cases, like hardware, that may be a valid business decision (though I’d argue it’s a reflection many times of poor prior planning – like the Windows 7 desupport date. Not a secret!), but most of the time no formal decision was made.
Changing the reporting structure is a major undertaking, and something for CEO’s to consider. Building a risk management workflow across stakeholders would be a good initiative for COO’s. CISO’s can provide a conduit for ‘bad behavior escalation’. CRO’s can expand the requirements for product security and privacy training. For everyone else, there is something we all can, and should do, especially as security professionals.
If the company we work for is doing something legacy, dumb, risky, or thoughtless, we have a duty to escalate and try to effect change. There’s no excuse for these bad practices to continue in 2019. Better that it’s driven internally and proactively, than in response to new legislation or worse, to a breach.