Alvin Toffler, an American writer and futurist known for his works
discussing the digital revolution, communication revolution and
technological singularity, once said, “You’ve got to think about big
things while you’re doing small things, so that all the small things go
in the right direction.”
He is right, certainly about this digital revolution. Cases in point
are some seemingly innocuous security fails that most businesses, system
admins and InfoSec professionals are likely unaware. However, a bigger
problem is the businesses behind these fails are unaware or reluctant to
correct.
I will start with a large software manufacturer called Adobe. Many
large businesses utilize things know as proxy servers. Proxy servers are
utilized as the intermediary between corporate networks and the
Internet. As a sign of how disconnected IT Software is from IT Security,
I constantly come across software that does not know how to operate
through a proxy server. All browsers do and many programs simply utilize
the browser settings. Proxy servers are common for a “defense in depth”
strategy. So what does it say for a large software company when their
“Cloud” software does not fully work with a proxy server? It says FAIL. You can read it from their own support notes.
“The following proxy configurations are not supported:
Kerberos authentication
NTLM authentication
Local PAC file support”
Next, we have a little company called Microsoft. In a Microsoft
environment, you can utilize ActiveSync – a program that allows users to
synchronize their smartphone with email and calendar events. If a user
changes their corporate password and forgets to update one of their 20
connected devices, there is no easy way to tell if failed logins are
coming from the ActiveSync client or someone trying to brute force the
account. At least I have not been able to figure out a way – if you have
one, leave me a message. This loads up system logs with “noise” and it
makes it hard to know what are real issues and what are simply
ActiveSync clients running repeatedly with a bad password. You would
think a software company might make it easy to distinguish the
difference, or make the little client stop on a single automated failed
login. Nope – we have another FAIL.
One good thing ActiveSync has is the ability to push rules to a Smartphone. So for example, a company wants to make sure a password is in place on the Smartphone if you want to connect to corporate email. Simple, you just set a rule. Yet, if an employee elects not to use ActiveSync and the company has Outlook WebAccess (almost all do), the user can get one of some 50 Smartphone apps that connect to corporate email over Outlook WebAccess. One such iPhone App allows the user to store the password in the App. Moreover, while the application can have its own password, it is not required. I actually contacted this vendor and asked them to “require” a PIN or password if the user stores the email password in their application. They declined. Therefore, because the App does not use ActiveSync, the ActiveSync rules do not apply. In addition, the end user can store the corporate email password in the application. They can also disable the App password and the Smart Phone password. All along, the System Admin is thinking they are secure in this area because they set policy – FAIL.
Because there is no ruling body of professionals, Information
Security is generally happenstance. While we are running at breakneck
speed to exploit this digital revolution – which is indeed a “Big
Thing”, we are ignoring the small things. When was the last time you saw
something as simple as an application showing you the last time you
logged into a system?