The Weakest Link

I noticed another data breach recently. This breach was from PageUp, a firm that helps companies find employees. This means that they have lots of information, potentially PII data, and some of it might be out there. Since they provide job sites for many other companies, you might have used them to apply for a job and not realized it. Certainly if you have used them, you might keep an eye out.

The company notes that no personal information was lost, though encrypted usernames and passwords were disclosed. These were salted values encrypted wtih bcrypt, which is secure, but all encryption can be broken given time and effort. Some people see bcrypt as secure, but others disagree. However,  the strength of bcrypt depends on how the hashing was set up, and I wouldn’t depend on this to be foolproof. If you used a password to apply for a job that you use on other sites, change it.

The bigger issue for me is near the end of the BBC piece. A bank notes that a third party supplier had a security issue, so that means they need to check their systems. To me this means one thing.

Their security depends on the security of their business partners.

Depending on the level of access and integration, this might mean that your security is compromised by a link much weaker than the weakest link in your internal environment. Or that your security depends on the weakest human link not only inside your organization, but also within your partners. Despite all the work you’ve done to increase the security of your systems, you might have other holes out there.

It doesn’t appear this breach is as bad as originally thought, but the point is still valid. The more interconnected you are with partners, especially with shared access, the larger your attack surface area. I take away the need from this that I need to ensure a limited API and protected access with minimal privileges for internal systems that are connected to any other networks. Production level security is important not only to public facing systems, but also those that are semi-private with business partner access.

Steve Jones

The Voice of the DBA Podcast

Listen to the MP3 Audio ( 3.0MB) podcast or subscribe to the feed at iTunes and Libsyn.

About way0utwest

Editor, SQLServerCentral
This entry was posted in Editorial and tagged . Bookmark the permalink.