UPDATE: Approximately 1 month after highlighting the lack of HTTPS, the affected IT security consulting company started to use HTTPS.
Please tell me your answer after reading. Does it matter to you if a company that’s selling you a service applies the same advice they give to you?
Here is a story that security companies sometimes don’t practice what they preach, even at a basic level.
What happened, almost no security happened
I’m Jamaican, and recently on a social media platform, I commented on a company that offers IT Security services for a few years now but has very poor security on their corporate website. Basically, their website doesn’t seem to be hardened, which looks like this:
- NO HTTPS
- An “F” score by securityheaders.com
- Multiple publicly exposed medium-high risk security issues on a popular CMS with a reputation of security vulnerabilities
- NO signs they are using a web firewall.
- Exposed administrative login page.
This caught my attention because it’s a company that I’ve seen a lot in the Jamaican media, they publicly report to be making good profits, trading on Jamaica’s Junior Stock Exchange and puts out a good effort to market Security Services to companies. In general, they seem to be good people.
A common good practice in the industry is to tell companies they should responsibly respond to public reports of security vulnerabilities in their online assets. For e.g. a response to some stranger’s SM vulnerability report should sound like “Thank you for reporting this issue, we will investigate and implement a fix where necessary”. That’s not what happened in this case. What happened was someone from marketing following my account, so it’s not a good example of good practice. From what I’ve seen throughout my career, security consulting companies in general poorly follow their own advice. Maybe because it might look bad to their client base that something they put online has a vulnerability as a security company. But that’s a foolish perspective to have because it suggests every company should fear that their customers will see them responsibility admitting that they will address a publicly reported vulnerability, especially a true positive. All software has a known vulnerability at some point in time. If clients used InfoSec companies as examples, then they would never respond to a public message about a security issue, but instead, remain silent and hope to fix it privately before anyone else notices. Similar approaches would lead to a poor relationship with the public covering responsible disclosure.
Why a public display of security matters
If we don’t take our own advice seriously, then our clients shouldn’t either! The Information Security industry is very lucrative because of how technology has evolved to support our daily lives and all the security risks that follow. Also based on my personality, I disagree with the idea that it’s ok for a “shoemaker to have the worst shoe”. It would also be a bigger professional issue for me if I worked with a shoemaker who sells how important it is to wear shoes, but they either don’t wear shoes or only wear a shabby pair when they go out in public.
This is a typical example from people in numerous industries not practising what they preach, at least not publicly and I don’t understand their poor effort.
The stories infosec companies tell
If you look through a few popular security surveys and reports covering Information Security, you will find a lot of blame towards users and calling them the weakest link, but mainly you’ll see much emphases that businesses should make security “a top priority”. Security companies all around seem to drive fear and anxiety to businesses. I’m a part of the industry, but I don’t like that kind of behaviour. While many are driving this fear, they are often poorly prepared for the same targeted attacks.
I’ve seen a lot of security administrators in and outside of an InfoSec consulting company being obstructed from solving problems because of unnecessarily tedious procedures and corporate politics. In many cases, a 15 minutes fix takes one month to a year to be approved or never. This is one reason why some companies seem to be exploited because of slack security practices. Trying but being exploited doesn’t mean a business is bad or doesn’t care but not trying in the first place doesn’t get you much empathy.
My theory of world issues and people’s bad habits
In 2017 I read a book called The Power of Habit. It was a very good read. You should check it out. What I learnt was that you could achieve anything if you would develop with the right habits. It also showed how you could track the great success of popular people to a very consistent set of habit. E.g. Word class achievers have invested numerous quality hours (much more than the typical wannabe) to consistent practice and development even if they were born into a family famous for the particular skill.
I’ve had a theory for a while now that a lot of the issues of the world are basically because people have bad habits. Bad habits that prevent them from doing the right or good thing when they get the opportunity. I believe the InfoSec industry is, so fear-driven and anxious because people’s bad habits drive them to maliciously exploit security vulnerabilities instead of being a part of the solution or contributing positively. But then what sometimes happens when random strangers try to be a part of the solution, but they are ignored? Malware, Black Hats, and Social Engineering scams happen, Ransomware happens. It’s all an interesting observation to me. The software is developed by humans and as such is inherently flawed, and nothing is wrong with that because it keeps us on a quest to improve, innovate and be better continuously.
If you’re interested in adopting good security on your website but don’t know where to start, reach out to someone you know within the InfoSec industry for guidance. They will likely point you in a positive direction, even if their own website doesn’t apply the same. If you find a company that doing well in this area, then you’re in a better place.
People’s bad habits can be quite fascinating; I think I may cover this theory some more in another post. Till then, I wish you success in your security plan. Remember to practice good habits, not just with computer security but in your daily life.
All the best. Stay safe.