Posted by Martin Zinaich on November 14, 2015.
Alvin Toffler, an American writer and futurist known for his works discussing the digital revolution, communication revolution and technological singularity, once said, “You’ve got to think about big things while you’re doing small things, so that all the small things go in the right direction.”
He is right, certainly about this digital revolution. Cases in point are some seemingly innocuous security fails that most businesses, system admins and InfoSec professionals are likely unaware. However, a bigger problem is the businesses behind these fails are unaware or reluctant to correct.
I will start with a large software manufacturer called Adobe. Many large businesses utilize things know as proxy servers. Proxy servers are utilized as the intermediary between corporate networks and the Internet. As a sign of how disconnected IT Software is from IT Security, I constantly come across software that does not know how to operate through a proxy server. All browsers do and many programs simply utilize the browser settings. Proxy servers are common for a “defense in depth” strategy. So what does it say for a large software company when their “Cloud” software does not fully work with a proxy server? It says FAIL. You can read it from their own support notes.
“The following proxy configurations are not supported:
Local PAC file support”
Next, we have a little company called Microsoft. In a Microsoft environment, you can utilize ActiveSync – a program that allows users to synchronize their smartphone with email and calendar events. If a user changes their corporate password and forgets to update one of their 20 connected devices, there is no easy way to tell if failed logins are coming from the ActiveSync client or someone trying to brute force the account. At least I have not been able to figure out a way – if you have one, leave me a message. This loads up system logs with “noise” and it makes it hard to know what are real issues and what are simply ActiveSync clients running repeatedly with a bad password. You would think a software company might make it easy to distinguish the difference, or make the little client stop on a single automated failed login. Nope – we have another FAIL.
One good thing ActiveSync has is the ability to push rules to a Smartphone. So for example, a company wants to make sure a password is in place on the Smartphone if you want to connect to corporate email. Simple, you just set a rule. Yet, if an employee elects not to use ActiveSync and the company has Outlook WebAccess (almost all do), the user can get one of some 50 Smartphone apps that connect to corporate email over Outlook WebAccess. One such iPhone App allows the user to store the password in the App. Moreover, while the application can have its own password, it is not required. I actually contacted this vendor and asked them to “require” a PIN or password if the user stores the email password in their application. They declined. Therefore, because the App does not use ActiveSync, the ActiveSync rules do not apply. In addition, the end user can store the corporate email password in the application. They can also disable the App password and the Smart Phone password. All along, the System Admin is thinking they are secure in this area because they set policy – FAIL.
Because there is no ruling body of professionals, Information Security is generally happenstance. While we are running at breakneck speed to exploit this digital revolution – which is indeed a “Big Thing”, we are ignoring the small things. When was the last time you saw something as simple as an application showing you the last time you logged into a system?Submitted in: Expert Views, Martin Zinaich |