As a vendor that has products that focus on SOA security, it's pretty easy to slip into the mindset that buying security products is all that's needed to cure a company's security problems. I thought I'd tell a story that happened to me in the last week dealing with an internet mortgage broker company (not a customer of mine!). You know the kind: the ones that "compare and act on up to 4 customized offers instantly". The moral of this story is that it's not all about having security products - security needs to be core to your IT culture. Anyways, here goes...
I submitted a mortgage rate quote application through this company (I figured I'm a technology guy and that I should use technology to compare lenders -- none of this old fashioned business of talking to each one individually). I wanted to see what technology could do for me.
Now, this company proudly proclaims on their website that your information is safe with them. They use SSL, firewalls, multiple DMZs, two-factor authentication, etc. In the end, though, none of this technology ended up making their systems more secure. They missed some of the basics.
Here's how it happened: I had a problem getting the results of my quote (a bug in their website). I phone customer support, and when they tried to verify the bug I was encountering, they logged into their website as my account. I found out that the customer service rep was able to do this because they had access to my password in clear-text. Uh oh. Red flags were already popping in my head. It's a major security no-no to be able to access passwords in clear-text.
So, I figured, maybe I can change my password, so at least this rep wouldn't be able to login. No luck, they didn't provide a way on their website to change passwords -- you have to talk to a customer service rep.
Now, I can understand why they did this. They probably have a bunch of customer problems that they can only reproduce by having their reps walk through the steps. This approach makes it easy for the reps to solve problems for their customers. But it also makes it easy for someone in customer service to pull an "inside job", and the majority of security breaches are inside jobs.
The next thing I thought was, "maybe if I try and login with a bad password a bunch of times, I can lock my account so no one can login". No dice; their systems don't protect against multiple invalid logins. Not only did this mean that I couldn't lock my account, it also meant that their security could be breached by any hacker in the internet doing a password guessing attack. Since I'm guessing that the bulk of their customers, even for mortgage applications, use guessable passwords there were a lot of people at risk (one of them being me!)
Given I couldn't protect against someone getting into my account, the next thing I tried to do was figure out what my risk exposure was. I talked with their customer service and determined that the reps didn't have access to my social security number. Good, at least that was safe. Or was it?
Next, I checked to see what was needed to access my loan offers. Their web site said you needed a password and social security number. Well, it turns out you just needed a password - nothing else. I guess they didn't read their own posted security policy. Or, more likely, they wanted to make it easier for their customers, so they eliminated this step. Luckily, the loan offers didn't contain any truely sensitive information.
On a hunch, I thought, what happens if I submit another application? So, I cleared my browser cookies and tried. Well, it turned out that -- in the interest of good customer service -- they prefilled the forms for me using data from their servers. Including my name, address, phone number, employer, social security number, and salary! All in clear text!
So now, anyone that could steal a password of a customer (an inside job) or guess a password (a hacker) could gain access to everything necessary to commit identity theft.
What went wrong? Clearly someone had been thinking about security, because their customer service reps couldn't see my social security number. My take is that there were two issues:
No one had looked at the system as a whole. Taken by themselves, any one of these issues wouldn't be a huge deal (not best practices by any stretch, but not critical). And, that's probably how it happened. They may have known about some or all of these issues, but no one put one-and-one together -- Had they taken a holistic view, they would have seen that a large number of their customers were at risk. For any one of these potential security issues they should have done a complete and thorough risk analysis before lowering their priority.
When given a choice, they put customer service before security. This is a tough one and I can understand where they were coming from. It's hard to tell a customer "we can't solve this problem for you because we can't login to your account". On the other hand, without realizing it they risked their company. Had the information gotten out about their security flaws, it could have meant their entire customer pipeline. In their business reputation and trust are essential; without it they wouldn't have any customers. That said, their mindset blinded them to the reality: if they put security first, that doesn't have to mean bad customer service. Their are products which let you do things like replay visually a customer's last session to see what they saw, see what they entered, etc. If they had put security first, they could have found solutions to make their customer service work. But they didn't.
So, in the end, they were victim to a common problem that no product will solve. Their practices and their mindset didn't put security at the core of what they do.
What happened in the end? I talked personally with their CIO who, aware of these issues, pledged to address them and also took my information out of their system so I would not be at risk. Of course, any pledge that this CIO makes is still colored by the fact that their practices and culture have significant issues - as an outsider, even I could see that security is clearly not their first priority in how they work, regardless of what they say (or even believe). So, regardless of whether they fix the flaws I found, I have no doubt that they have other security flaws that are equally dangerous. It's only a matter of time for them unless they focus on changing their culture. For me, though, the risk is gone since they removed my data from their systems -- but I hope others don't suffer because of this organization's choices.
In the end, I did my mortgage rate comparison the old fashioned way: I got recommendations from people I trusted, talked with people on the phone, and only gave them the minimum information they needed to give me a quote. Then, I did good ol' fashioned negotiation (which got my rate down far further than the internet company did).
In the end, the moral of the story is that purchasing security products, and laying out an architecture for security isn't enough. You need to follow through with practices that put security top-of-mind and a culture which treats security as a key concern.