Monday, August 11, 2008

Thinking about security

So after 5 years, I changed all my basic passwords. Why? I was reminded that some of them were used in less than secure sites and I have been remiss in my regular practice of changing them every year or so.

Recent compromises at TechSoup and Network for Good reminded me that ultimately I am responsible for my own security. It is inevitable that security breeches will happen. Most of the responsibility for dealing with those breeches is on me... when a site is breeched, how much of my online life is vulnerable?

The other part of responsibility is on the provider. How do they react? How do they manage risk? How do they communicate the facts and the implications of those facts? The rather minimizing notifications from providers are a little bit disconcerting: http://techsoup.org/maintenance/page10338.cfm.

I'm not sure there is clear communication going on:

  1. Viruses and malware means "a key logger could have been installed in your computer"
  2. No evidence of download of personal information does not mean the keylogger didn't get your personal information.
You don't want to scare people unecessarily, but I would certainly hope that a mission driven NTAP would err on the side of caution and education rather than delivering what i would call a text-book vendor notification of a breech.

Viruses and malware are used to do little things like capture all your passwords (keyloggers). I saw a great demonstration once of cracking online banking after visiting an infected site.... these are serious issues and I'm not sure that the magnitude of the potential issues is really being communicated to those impacted.

What if viruses and malware are just decoys? I know that most NPO technical services are staffed by competent, well meaning folks. But hard-core security folks that can uncover the *whole* story? Not so much. Without information on what, exactly their response has been, it is hard to have a lot of confidence.

Finally, I think there is something very inevitable about two major NTAPs suffering a compromise of their older, creeky infrastructure... technology changes rapidly... continuous expensive investment is required to keep up with the moving ball. If you can't invest the money and people and time and planning in moving the ball forward, it's time to outsource your efforts.

I will note that both providers have made timid forays into modern technology that can address some of these issues.

Techsoup has used the Drupal open source system for a number of projects. Keeping up-to-date with an open source platform does a huge amount to improve security... the open source community fixes vulnerabilities and staying up to date protects the user.

But why not over the past 3-5 years budget and upgrade to an open source platform?

Network for Good takes another good tack... go to the cloud. They have experimented with Salesforce.com, where Salesforce engineers take responsibility for security and as the cloud gets updated the user is protected.

But why not over the past 3-5 years budget and upgrade all your services to a cloud-based platform?

In the end its all about management. How well do I manage risk by changing my passwords? How well do providers manage risk by investing in their technology infrastructure?

1 comment:

abenamer said...

Agreed. Techsoup needs to show some serious thought leadership in the way it's handling this breach. I feel that there has been inadequate notification of users so far.

If this had happened to a vendor with a less privileged position in the market, the opprobrium would have been tremendous. However, Techsoup is privileged in that it is the conduit for software in the nonprofit sector. I feel it is squandering its privilege when it fails to notify users in a less than forward thinking way.