Technology, Security and Business: Finger Pointing Loses Money

With advances in technology being so profound over the last few decades, security has become an important issue for every business taking the steps to bring their company to the next level. For those businesses relying on consulting companies to handle their technology needs, security becomes an even bigger issue.

Putting your trust in a consulting company to ensure that your technology is secure is a two fold application of trust. You're not only assuming that the consulting company can provide you with said security, but you should also be assuming that the company will future-proof your technology from employee-created errors in the future. Many consulting companies do the first... very few do the latter.

I once consulted on a security job where a company's web application (one of their larger sources of revenue) had been hacked on three separate occasions; and the home page had even been replaced with various versions of a hacker manifesto. On the last occasion, the home page was replaced by a giant red eye and lots of copy talking about the punishment of American infidels (the offenders were actually American, but masqueraded as Turkish hackers).

Upon investigation of the servers, it turned out that the hackers somehow managed to insert several HTML files into every directory of the web site, taking advantage of the web server's multiple index page setting. As we investigated further – trying to determine how these files were placed there – we found no evidence of hacking through remote desktop or FTP. Our first inclination after this was to assume that somebody's password was stolen, but nobody at the company had such overarching access to the server. That access was in the hands of the consulting company they had contracted to build and host their web application.

Further examinations of each individual directory revealed an errant ASP (programming) page. This page - when accessed - sent information about the server back to the browser (and thus the person accessing the page) and also produced those multitudes of index pages that we had found earlier. We had succeeded in finding the culprit, and also the security breach. As it turned out, the directory that the ASP page resided in was also the upload directory that everyone in the company had access to (from a web site page in an administration section of the web site). I opened up a web browser, surfed over to the page in question, and discovered not only that the page itself could be accessed directly without logging in, but that it also had a Google PageRank of 5. This means that not only was the page being accessed by unwanted people directly, but it could also be found in the search engines.

The technology company that built the web application was unsure just how the page was indexed. They acknowledge that the page had no inherent login logic on it, but concluded that the page was only supposed to be accessed in an admin section of the web site that was already behind a login prompt. There was no way that Google could have indexed it with things being as such.

As I continued the investigation, the reason behind the search engine indexing became clear. One of the pages on a separate web site of the company's had a direct link to the upload form instead of the admin login page. This page’s content was controlled by the marketing department of the company.

This struck a cord with the technology consultants. They admitted the flaw in their login logic, but concluded that the only reason these security breaches were occurring was because of user error with the company’s employees. Had they not linked to a secure page from one of their marketing pages, this would have never happened.

Although their reasoning was sound, these technology consultants were 100% wrong in their assessment. User error was just as much their fault as it was the company's. When a company hires consultants to develop their technology, it's the job of the technology consultants to try to proof the technology against possible user error by the company's employees. This is a requirement.

Too often I hear of consulting companies that treat clients as if they are a burden – often pointing fingers when there is a "user error." The reality is that there are going to be user errors. If a company was that technologically sound they wouldn't have to hire a consulting company in the first place. Pointing fingers and placing blame is not what a consulting company is there for. They are there to solve problems and - quite possibly just as import - prevent future problems from occurring. Pointing fingers at a client does neither of these, and ultimately cost the company revenue in the end.

Stubbornness and egotism are not qualities becoming of a consulting company. Unfortunately there are quite a few companies out there that harbor both.