Security as an advantage

This week has seen a lot of activity in the security world about one of the largest companies in Britain – Tesco. What’s unusual about this, certainly compared to most “security” news is that there’s been no notified data breach. Efforts conducted by Troy Hunt, in particular (and well documented at his web site – Lessons in website security anti-patterns by Tesco) have identified a number of potential security issues with Tesco’s online presence.

Tesco have made some responses (additional coverage at SC Magazine) and I’m sure we’ll see additional news on this.

Tesco aside, what this highlights is that most people aren’t aware of what security is in place, or should be in place for their online transactions. Not everyone has the time, ability or stubbornness of people like Troy to investigate and follow through with enough knowledge to get through the anodyne responses. This is an example of why having a knowledgeable and semi-independent security assessment is something that any organisation should do. That’s not to denigrate some of the fine people who work at Tesco – all of us sometimes need an extra set of eyes and ears, sometimes just to challenge assumptions. Luckily, here, the problems have been identified before there’s a serious issue.

One of the basic issues here is that security is hard – knowing that even if everything has been done “right” that it still may lead to a problem. This is one of the reasons that it’s good advice for users to use different passwords – even if you trust the people you give a password to, you can never be sure that it won’t get leaked. If you use the same username and password combo on multiple sites (or worse, for your e-mail access itself) then any password leak on those compromises a large amount of your online presence. Even a low value breach (a blog, for instance) escalates if those same credentials are used at a shopping site that has your credit card number stored and allows quick purchasing.

Security is about layers of defence – not assuming that each layer will hold, but mitigating and minimising the risk if it doesn’t. This incidentally is one of the issues with the “padlock” icon in browsers – it gives a false sense of security. Users are one of those layers and should assume that whatever is in place by the provider may not be enough…

One of the difficulties with any form of security is when it meets head-on issues such as finance, usability, compliance or legislation. The latter two in particular are insidious, often being used as a replacement for security (we’ve complied with XYZ policy) or even being antipathic to security. Especially in large organisations the challenges in putting forward a culture of good practice against those are immense. There may even be good and acceptable reasons for, what at first appears to be, bad practice.

That said, I’m wondering if these types of events may be the trigger for security as a competitive advantage. Would a (non-security) person actually choose to shop online at one store over another due to security deficiencies? If not, at what point would that happen?

Recent breaches

Stolen RSA data used to hack defense contractor • The Register

There’s a lot more analysis out there today on the Lockhead Martin hack that has led to a recall of RSA SecurID tokens. Anyone using them should demand replacements, or, as a better option alternatives. As the article notes, it’s difficult to trust RSA now…

It’s interesting how the use of a single security product has contributed so severely to a breach. The defence in depth seems to have completely failed. Perhaps this is a case of putting too much faith into a single product – almost along the lines of “we’re safe; we have a firewall”.

A significant point here is how organisations are entwined so that breaches for one company can have serious implications for others – we tend to see this more with business partners (extranet services, VPNs etc.) where choices are made to allow third-party access to data, but this blurs the distinction; the security providers should be treated as business partners.

Many large companies have clauses in contracts providing the right to audit and test partner facilities – this can include running pen tests, or insisting that a validated third party does so – in essence the security domain is extended to include the wider community. With the trends we’re seeing in security as the industry reacts to changing business practices I believe the auditing of external organisations will become more prevalent.

This could be a watershed for how companies treat their security providers as well as their business partners. For those on the other side I can also see a competitive advantage in security – something that I hope will become relevant, especially in “cloud” based services.