An organisation's security doesn't have to be a secret to be secure, but with plenty playing An organisation's security doesn't have to be a secret to be secure, but with plenty playing the silent game out of fear, there's an opportunity for those on top of their game to the silent game out of fear, there's an opportunity for those on top of their game to demonstrate higher value to customers. demonstrate higher value to customers.
commentary commentary There's a principle in the information security industry that any good system There's a principle in the information security industry that any good system does not rely on security through obscurity; that is, the design of the system shouldn't need does not rely on security through obscurity; that is, the design of the system shouldn't need to be a secret in order to secure it. to be a secret in order to secure it.
If good practice dictates that there are no flaws in the design of a system, then why do so If good practice dictates that there are no flaws in the design of a system, then why do so few organisations disclose their information security practices, since, theoretically, they few organisations disclose their information security practices, since, theoretically, they should give attackers nothing to work with? I'm not condoning that organisations bare all of should give attackers nothing to work with? I'm not condoning that organisations bare all of their source code and issue a challenge to would-be hackers to try to break into their their source code and issue a challenge to would-be hackers to try to break into their systems — that's a recipe for disaster — but there's room for organisations to take a more systems — that's a recipe for disaster — but there's room for organisations to take a more proactive approach of disclosing at least some details that will improve overall user proactive approach of disclosing at least some details that will improve overall user confidence in an organisation's security. confidence in an organisation's security.
The current approach by many organisations is to deny user and media requests for The current approach by many organisations is to deny user and media requests for information, with the throwaway excuse that they do not comment on matters of security. information, with the throwaway excuse that they do not comment on matters of security. This approach has the opposite effect of instilling confidence in an organisation, by leaving This approach has the opposite effect of instilling confidence in an organisation, by leaving users wondering whether organisations have something to hide. users wondering whether organisations have something to hide.
And, unfortunately, sometimes they do. And, unfortunately, sometimes they do.
LinkedIn LinkedIn and and Sony Sony are perfect examples of organisations that didn't have the right security in are perfect examples of organisations that didn't have the right security in place and surely wouldn't admit to it. However, I'm not looking to highlight flaws; I'm asking place and surely wouldn't admit to it. However, I'm not looking to highlight flaws; I'm asking why more organisations aren't using security as a means to differentiate themselves. On the why more organisations aren't using security as a means to differentiate themselves. On the back of the numerous breaches we've held, there's certainly an opportunity for rival back of the numerous breaches we've held, there's certainly an opportunity for rival organisations to reassure their customers that they are doing the right thing. Just as cars organisations to reassure their customers that they are doing the right thing. Just as cars turned initially despised safety features like seatbelts and airbags into selling points, turned initially despised safety features like seatbelts and airbags into selling points, organisations could do the same, explaining the benefits and ensuring that to stay organisations could do the same, explaining the benefits and ensuring that to stay competitive in their market, they have stay on top of security. competitive in their market, they have stay on top of security.
There probably isn't a better market to do so than in the financial industry, where, as more of There probably isn't a better market to do so than in the financial industry, where, as more of our transactions make their way online, security is paramount. But despite the fact that our transactions make their way online, security is paramount. But despite the fact that security forms a crucial part of any online banking system, few people know much about security forms a crucial part of any online banking system, few people know much about how their bank approaches security. how their bank approaches security.
For example, even after a month of enquiries, none of Australia's big four banks have been For example, even after a month of enquiries, none of Australia's big four banks have been willing to discuss whether they even hash passwords or salt them. One bank even outright willing to discuss whether they even hash passwords or salt them. One bank even outright refused to answer simple questions, such as whether it has a minimum and maximum refused to answer simple questions, such as whether it has a minimum and maximum password length. password length.
Granted, obscurity has its purposes when it is not the only means of security and is Granted, obscurity has its purposes when it is not the only means of security and is employed as an additional tool to make the job of hackers harder, but it shouldn't be used in employed as an additional tool to make the job of hackers harder, but it shouldn't be used in such a backwards manner to undermine customer confidence — or worse, mislead them to such a backwards manner to undermine customer confidence — or worse, mislead them to make poor security decisions. make poor security decisions.
Blizzard initially didn't inform its customers that its Battle.Net passwords are case Blizzard initially didn't inform its customers that its Battle.Net passwords are case insensitive — knowledge that could have led users to create more secure passwords if they insensitive — knowledge that could have led users to create more secure passwords if they knew that the keyspace was shorter. But despite dealing directly with customer funds, banks knew that the keyspace was shorter. But despite dealing directly with customer funds, banks are also susceptible to the same security-defeating behaviour. The Commonwealth Bank are also susceptible to the same security-defeating behaviour. The Commonwealth Bank omits from its security guide and secure password tips that its online banking passwords omits from its security guide and secure password tips that its online banking passwords are also case insensitive — and, strangely enough, the only place this case insensitivity is are also case insensitive — and, strangely enough, the only place this case insensitivity is noted is in the bank's demo of NetBank, not in its actual working product. noted is in the bank's demo of NetBank, not in its actual working product.
Instead of embracing security and the way it can attract customers, organisations appear to Instead of embracing security and the way it can attract customers, organisations appear to be scared to death, withholding more and more information and leaving users in the dark. be scared to death, withholding more and more information and leaving users in the dark. Customers don't want less information in these uncertain times; they want an organisation Customers don't want less information in these uncertain times; they want an organisation that is clear and transparent with how it deals with secure user information. that is clear and transparent with how it deals with secure user information.
Rather than losing customers during a breach, there's another option: subtly, so as not to Rather than losing customers during a breach, there's another option: subtly, so as not to issue the "we're unhackable" challenge, organisations can show that they're on top of their issue the "we're unhackable" challenge, organisations can show that they're on top of their game and different from their rivals. With major breaches seemingly being reported on a game and different from their rivals. With major breaches seemingly being reported on a fortnightly basis, users are starting to pay attention, and victims will want an organisation fortnightly basis, users are starting to pay attention, and victims will want an organisation that doesn't wait until it is breached before it hardens its security.
Would love to here from you...