Are you providing security for your customers?
Security should not be considered exclusively within the context of one’s organization and environment, it is also important to consider your customers’ access to your systems. We all take things for granted and sometimes do not realise certain shortcomings until we come face to face with them.
Recently I ended up facing a security scenario which made me release how non-security minded people would have been put in grave danger. It all started with my home ISP. Like many other ISPs it provides a webmail service for people who wish to access their email via the web. Unfortunately they decided to run their webmail on a regular http connection and not on a secure connection. With regard to accessing an unsecure webmail from home, it’s not a major issue since the only security weakness in such a scenario would be a sniffer running at my ISP. If someone was able to install a sniffer at an ISP it would imply that he could in all likeliness get access to the actual mail server directly. When considering access from locations away from home however, the story changes drastically.
Recently I was on a cruise liner which didn’t have many options with regard to connecting to the internet; the only viable option was a satellite connection. I was presented with my ISP’s Webmail login page over an unsecured web connection going through a satellite connection. This was as big as a security risk as I could face under the circumstances and obviously a hugely bad idea. I had no idea if the satellite connection itself was encrypted, especially since in most cases for technical reasons they are not. Logging in under such a circumstance I would essentially be broadcasting the login and password I use for my email over a whole continent. Everyone with a cheap satellite card capturing all traffic on that channel, at that time would get access to my credentials as well as the location where those credentials apply.
The issue isn’t limited to satellite connections; anyone trying to access the webmail through any public connection be it an internet cafe or open wireless connection will be exposing his credentials as well.
In short it is really essential for an administrator to think about how users (both internal and external to the company) will be accessing any of the company’s services. If your website at any stage asks for credentials make sure that they are sent over a secure link. Always assume that the link between the customer and your system is compromised and then act accordingly. If on the other hand you’re a user let this be a cautionary tale. Whenever you are about to enter credentials or any other confidential information, always stop and think. Is the data you are about to submit going to be sent in plain text or encrypted and is the pipe transporting that data secure or could it be compromised? Decide and act accordingly. Do not be tempted to just go ahead and access the service regardless of the risk; one mistake can cause of a lifetime of pain.
At out firm, we thought it best to eventually divide the responsibilities of the security department. One branch is responsible for all internal software and network security of the company, while the other deals with software and network security of clients. Since businesses are (unavoidably) dependent on the satisfaction and security of their clients to stay successful, we thought this the best option all around. Our security department still works together to improve our security and our client’s at the same time. In the end, everyone wins.
Most people tend to take internet security for granted. Research has shown that most people believe that internet security isn’t their responsible, even if they understand that they have the most to lose. Many phishers are heading to public computers like libraries and internet shops to pilfer identities that haven’t been logged off.
Ironically, Google has been trying to address such security exploits by introducing Chrome’s Incognito window. I haven’t personally verified on how reliable this “cookie-less” / “fingerprint-less” browser works, but since most people don’t even bother to use it, it might not even matter.
Although it’s a duty for a service providing company to be able to make sure that our services are provided in a safe and secure environment, I think we seem to sometimes forget how much of that responsibility is that of the end-user as well. Even as a security provider, the company can only go so far as to protecting our clients if they don’t take the measures to protect themselves on their own.
I haven’t had the luxury of using an internet connection via satellite (or via cruise liner for that matter), but are they really that insecure? I’d think that most modern satellite connections are heavily encrypted most especially since they are used mostly used for highly sensitive international data transfers. Or am I missing a key element of satellite connection security here? Are satellite connections more difficult to secure than more traditional networks?
Unfortunately, I believe that we can only provide as much security as our customers allow. For decades now, end-users have been able to set the sensitivity of their security protocols and usage filters. However, these are still settings that require the end-users full authorization and compliance. As suppliers, developers and programmers, we can only hope to provide the tools users need to protect themselves. But it’s up to them to do the actual protecting.
I think providing a secure link for our staff and our customers to enter personal information and credentials is the least bit of security we can offer them. No matter how random or strong our passwords might’ve been chosen to be, it’s all without merit if the people who are intended to use them aren’t able to do so quickly, efficiently and (more importantly) securely. Whether it be via satellite, remote or WAN connection, a secure connection is paramount.
I think providing a secure link for our staff and our customers to enter personal information and credentials is the least bit of security we can offer them. No matter how random or strong our passwords might’ve been chosen to be, it’s all without merit if the people who are intended to use them aren’t able to do so quickly, efficiently and (more importantly) securely. Whether it be via satellite, remote or WAN connection, a secure connection is paramount.
@Stewart H.
You’re right, service providers can do so much and the rest depends on the users. The problem is that most users do not have the technical knowledge to do much. As you correctly say, a bank might offer all the encryption in the world but if the victim has a key logger installed on her machine her credentials will still be compromised. A service provider can only control his side of the security and that’s all I mean. If like in my case my service provider is running a web mail gateway on an insecure link the average user can do nothing to secure it.
@Jenny Whitson
I’m afraid it’s quite the opposite, satellite internet is generally not encrypted. The reason for this (in a nutshell) is that internet via satellite is slow and bandwidth is expensive, so to speed things up compression and acceleration algorithms are used, but these work only on unencrypted data so everything is left unencrypted. Using satellite for data exchange is generally very unsafe unless you take precautions and encrypt everything yourself beforehand.
@Kevin P.
I agree completely, we can provide the tools but the users need to use those tools and follow policy. There is no silver bullet obviously. If we provide the facilities to help with the user’s security it will be his responsibility if he decides to go around that in the end.