According to The Register, "Salesforce.com (SFDC) has been caught with its pants down after phishers persuaded an employee to hand over customer contact details."
That SFDC customers have been specifically targeted should not come as a surprise. The SaaS and PaaS models mean that more and more sensitive data and applications which manage that data are being built on the SFDC platform. It's an attractive and very large, high-profile target.
Apparently, one of their own employees fell for a phishing scam which resulted in compromised authentication credentials. A commentator on Bruce Schneier's blog suggests that the employee might have "sold his login information to the phishers."
SFDC themselves have issued an email to their customers stating that the intrusion did not "stem from a security flaw in our application or database." While this might be true, what their system didn't do was detect the unauthorised access, nor ensure that access to confidential data requires two-factor authentication (2FA) - or indeed anything stronger than a username and password.
Regardless, SFDC should be respected for quickly reaching out to customers with positive messages and sound advice, such as to modify "your Salesforce implementation to activate IP range restrictions."
This also stands to reinforce the importance of security awareness messages as a mitigating control against data compromise. We've got to work harder and spend a greater proportion of our resources on education. Perhaps we should start to make employees personally accountable as being neglegent if they are tricked into revealing data that results in a compromise? Surely, it's as bad as a developer writing vulnerable code or a network technician opening the wrong port on the firewall. All three scenarios are likely to result in the same outcome so why don't we address each of them with the same effort?
Comments (1)
Salesforce.com makes 2FA security a Catch-22 choice for SMEs
The Salesforce.com phishing incident should not come as a surprise to anyone. The growing popularity of the SaaS model means that providers like Salesforce.com, NetSuite and Oracle are managing increasingly sensitive business applications and data for more and more high profile customers. It's too big a honeypot for the Internet Underworld to ignore.
It's really positive that Salesforce.com are now recommending the use of two-factor authentication (2FA) to secure the login to their service, but there is one major flaw: to replace their basic password with a 2FA process you need to enable their 'Single Sign-On (SSO) function. Unfortunately this SSO function is limited in the Salesforce.com Professional Edition - the SME version which is used by the vast proportion of their customer base.
For these customers, SSO is a 'global setting' so it is either 'on' or 'off' for all users. This means that if 2FA tokens are to be deployed - they have to be issued to every single Salesforce.com user; which can be simply too costly.
So for all Pro Edition customers, in order to follow Salesforce.com's security advice, they have an costly Catch-22 choice: either upgrade to the more expensive Enterprise Edition or give everyone 2FA whether they need it or not.
It's a fallacy that only big companies use 2FA, we have hundreds of customers of all sizes using our fully managed two-factor Secure Authentication Service, some with just a handful of users.
It is frustrating that our customers cannot extend the use of their tokens to secure their Salesforce.com accounts too. If Salesforce.com were to make SSO a 'per user' setting on Pro Edition, this would show that they are committed to helping all customers improve their security.
John Stewart
Founder
Signify - The Secure Authentication Service
Posted by john stewart | November 14, 2007 6:36 AM
Posted on November 14, 2007 06:36