Mortgage Broker Bitten by Access Control Lapse
Provisioning user accounts is a pain and de-provisioning can be a bigger pain. There are any number of reasons to automate user provisioning, from the savings of lost productivity, service desk overhead to just avoiding user frustration. Unfortunately, there aren't so many business pressures to smooth out the deprovisioning process. Once someone leaves, they aren't likely to complain about there accounts still being active. That's too bad for LendingTree which was just bitten by former employees who had active accounts exploited.
Other lenders, not part of the LendingTree network, were able to get customer information and solicit those clients because of stale accounts left active. LendingTree internal security discovered the breach which lasted from October 2006 to early 2008.
With so much news about malware, compromised Web sites, and other external threats it is easy to forget about threats from the inside. Protecting individual assets is essential and part of that is authentication and authorization control. The perimeter is now so intentionally permeable in some organizations that adding more defenses there does little to improve the overall risk level. SearchSecurity quotes on vendor on the imbalance of where mitigation efforts are placed:
Insiders are involved in about half of all data breach cases, but many firms are so focused on hardening the perimeter that insider threats are neglected, said Brian Cleary, vice president of marketing at access management vendor, Aveksa Inc.
Granted, this is coming from a vendor in the access control market but there is enough truth to the statement to warrant our attention.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
