Reading this morning’s IBD, the front page news touted how Palo Alto Networks topped views due to soaring security demand. In a world where the costs of ineffective security spiral higher, driven by organized crime and financial gain, the industry continues to crank out solutions to those security issues; albeit also for financial gain.
Turning to page two, there was a small, one paragraph blurb about how Salesforce was hit my malware. Breaches to Target, Home Depot, Chase, etc., all make huge headlines. Why such a small blurb about Salesforce? The answer lies in subtle differences.
The high profile Target and Home Depot breaches involved those organizations actually being breached and millions of accounts stolen; there was substantial consumer impact. The Salesforce breach is closer to “death by a thousand cuts.” Salesforce itself was not breached. Rather, many business customers, and users of Salesforce, became infected with malware which in turn exposed information as those users accessed Salesforce. The Salesforce breach is a man in the middle attack where once compromised, users have their browser diverted to a malicious server in between the communication with the Salesforce service which “scrapes” the information as it travels between the affected computer and the Salesforce system. The vulnerability or weakness which is exploited is not a flaw of Salesforce. Rather, the attack vector boils down to social engineering and the human element. Of course, Salesforce gets the bad press.
What happened? The unsuspecting user, who by now should know better if security awareness programs were more effective, clicks on a link in an email, which in turn prompts the user to download software. The link could appear to come from an acquaintance, or have a subject to pique the curiosity of the reader, but regardless, the end result is the same. The software which is installed is malicious and hooks the browser so that anytime the user connects to Salesforce, the entire communication is instead routed through a malicious server in the middle which steals the information and then farms that information for other gain.
Saas (Software as a Service), is a very useful tool for businesses and empowers small business to benefit from cost efficiencies by paying only for what is used vs. infrastructure and recurring costs which are out of the reach of most small businesses. However, SaaS Is not without risks, and as with any business function, requires a careful risk assessment as well as relevant controls.
BYOD is another trend which empowers businesses and employees alike by saving businesses the capital costs of technology gear while allowing workers to use their own devices at work. When coupled together with SaaS, there is a convergence of risk because confidential data, both that of the employee as well as the business, can be exposed with substantial financial impact to either, or both parties.
Getting back to the IBD article, it concluded with the news that Palo Alto, along with Fortinet, McAfee, and Symantec, all security vendors, have banded together to form the Cyber Threat Alliance. Need we say more about the industry spawned to achieve financial gain delivering solutions to cybercrime, which also seeks to achieve financial gain? All the technology in the world does not seem to prevent basic human error and weakness.
Our mothers taught us not to show large amounts of cash out in public. They also taught us not to accept gifts from strangers. Yet exploits like those which affected users of Salesforce all come down to those of us who failed to learn those childhood lessons, and foolishly “accept gifts from strangers” when we click on links and download those “gifts.”
I have said it many times, and will say it again here: Information security is not about the technology. Technology is one of the tools, yes, but Information security is about business and common sense. Think before you click.