Lessons you and your boss could learn with iCloud flaw

O artigo abaixo foi originalmente publicado em inglês no LinkedIn Pulse.

Well, another security flaw is exposing some celebrities’ pics. Some pictures are ‘normal’ but some others, the owners would like to do not show to a big audience. Privacy is over the table again, for discussion. However, let take another point of view, if this flaw has victimized your corporation.

I mean, I know your company do not save nude pics on cloud, but it could be naked about your client data, your commercial trades, and etcetera. The caution you have to have, is regarding to your user information, authentication and access control.

Some people may think it is a commodity. Every company already have your IAM system that protects your assets. However, this kind of flaw is more common that you may guess. Many companies are exposed to weak passwords, weak authentication solutions and orphan accounts; even if they are using the most advanced and technological IAM solution.

If you ask me why, I can say by my own experience that most of managers believe that IAM will solve all those problems. However, they forget that IAM is only a tool. Before begin your IAM implementation, you should begin mapping your processes for identity and access lifecycles. Have you did yours?

During the mapping and fully requirement gathering, you may notice that some of your assets are more important than others. Trust me, some of your information does not need authentication or protection, it could be public available, but it is currently behind an authentication. Thinking on the same way, your most important data also is behind a weak authentication asking only user and password as credentials.

Another point to analyze is where your users are and how they are accessing your data. The security level of an user accessing from your internal network using company desktop needs to be different from your same user accessing the same data, from a tablet in a public Internet hotspot at Airport. The device can be stolen with your data on cache or your credentials can be stolen over the wireless.

We expect that a company could be capable to detect the risk over your user, and adapt in real time the authentication scheme to increase security. Also, the monitoring must be ready to detect a kind of brute force like this iCloud vulnerability is victim of. We already have some customer portals, that detect and add a captcha element to the authentication, after two failed authentication.

Is it hard to do? Not at all, but why your boss doesn’t care? Maybe the guilty is over the security administrators or expert, that sometimes forgot to explain and make sure your boss understand the message and the risk that he is exposing the company.

So, here is my appeal. Make sure that everybody that make decision is correct informed and understand the risk that they are taking. Really, it is a risk. Otherwise, you may be joining the celebrities, crying for you data leaked.

Fabio R. Sobiecki de Sales, CISSP, CCSP, CDPSE

Escrito em Setembro/2014.
Publicado originalmente em LinkedIn Pulse

Author: fabio

Fabio Sobiecki é analista de sistemas, formado pela Unopar e especialista em Segurança da Informação pelo Senac e possui MBA pela FGV. Desde 2004, trabalha com Segurança da Informação, entre 1998 e 2004, trabalhou com tecnologia da informação, na área de infraestrutura e redes de computadores. Fabio Sobiecki é certificado pelo (ISC) 2 como CISSP e CCSP, desde 2008 e 2017, respectivamente. Atualmente, ele é presidente do capítulo de São Paulo (ISC) 2 e é engenheiro de soluções na RSA.