Thursday, July 19, 2007

Partners and Security, Part 2

Digging a little deeper into the security of business partners...

After reviewing the information you received, it is time to start looking a little deeper. Most of my experience is with web sites and web applications used for communications with vendors and franchisors, so that is where we will start.

Start with the basics. How do credentials get assigned? Are you sent a username and password in an email? (this is both very common and very bad). Do you have to reset your password at initial login? Do they even let you reset your own password? Does every user get their own credentials, or are you expected to share? Are logins encrypted? Are all transactions encrypted? Is the certificate valid?

Sadly, a large number of sites, even among financial institutions, will fail some of these checks. Companies that spend significant resources securing their "public" websites will frequently cut corners on their partner/affiliate websites, as if we aren't coming in from the same Internet. The whole Insider Threat concept is lost on them. Random attackers may not know what they can access once they are "inside", employees of partners already know what they are looking for.

Although some of the information you want is not as obvious in a web app as it is in a web site, you can still get what you need. Sometimes you can "break out" of Internet Explorer based web apps by simply pressing Ctrl-N; a new browser window will open with headers, footers and toolbars- revealing full URLs, certificates, etc. If that doesn't help with your applications, don't worry, you will need to fire up a sniffer and a proxy sooner or later anyway and they will give you what you need.

Next time, a little looking around before we break out the tools.