Search Blog
  • Alan Fustey
  • Becky Wong
  • Bert Griffin
  • Blair MacDougall
  • Blake Goldring
  • Brett Baughman
  • Camillo Lento
  • Chris Delaney
  • Cynthia Kett
  • Darren Long
  • Desmond Jordan
  • Don Shaughnessy
  • Doug Lamb
  • Ed Olkovich
  • Eva Sachs
  • Evelyn Jacks
  • Gail Bebee
  • Gerald Trites
  • Gordon Brock
  • Guy Conger
  • Guy Ward
  • Heather Phillips
  • Ian Burns
  • Ian R. Whiting
  • Ian Telfer
  • Jack Comeau
  • James Dean
  • James West
  • Jeffrey Lipton Fairmont Gloucester
  • Jim Ruta
  • Jim Yih
  • Joe White
  • Jonathan Chevreau
  • Kenneth Eng
  • Larry Weltman
  • Malvin Spooner
  • Mark Borkowski
  • Marty Gunderson
  • Michael Kavanagh
  • Monty Loree
  • Nick Papapanos
  • Norma Walton
  • Pat Bolland
  • Patrick O’Meara
  • Paul Brent
  • Peter Deeb
  • Peter Lantos
  • Riaz Mamdani
  • Richard Crenian
  • Richard Warke
  • Rick Atkinson
  • Rob Peers
  • Robert Bird
  • Robert Gignac
  • Sam Albanese
  • Stephane Ruah
  • Steve Nyvik
  • Steve Selengut
  • Tammy Johnston
  • Terry Cutler
  • Trade With Kavan
  • Trevor Parry
  • Trindent Consulting
  • Wayne Wile
  • Categories
    November 2012
    M T W T F S S
    « Oct   Dec »


    Security not included ?? real lessons you should know about before you hire your next IT service provider

    Terry Cutler

    By Terry Cutler

    A recent vulnerability audit and stimulated hacking scenario on a website belonging to a small non-profit uncovered 25 possible vulnerabilities, and according to the director and his board of directors such a problem should have never occurred.

    “When we created the site two years ago we assumed that our web developer would consider security of the site as a normal consideration,” said the director, who asked to remain anonymous for security reasons. “Actually, we are a small association with a small budget and a small website. Who would think that anyone would want our information?”

    It is a prevailing attitude, one that has implications on the bottom line.

    As the head of an association or business, you expect your outsourced IT group or web developer to be handling security, but are they really? The answer to that is a resounding no. Website creators or managed service providers are not in the business of testing or coding  your website to security best practices.

    It is assumed that they are.

    Not long ago, I ran a 45-minute rapid audit for the website of a Door and Frames supply manufacturer and discovered a vulnerability that allowed an attacker to modify the website which would deliver an infected PDF file to every site visitor. Breaking it down, any visitor who didn’t have an updated Adobe reader could be compromised. After contacting the web master I learned he didn’t feel the need to fix it or insert any protection.

    “If I’m paying my outsourced IT group several hundreds of dollars a month, I assume they’re taking care of my security as well since it falls under IT. No one will hack my site because there’s nothing valuable on it,” said the owner of Doors and Frames.

    The common theme in the industry is that providers have adopted a “sweep the incident under the rug” attitude as a best practise without advising the client. The hope is that it will go away. That assessment may be too harsh. Most developers are still making the transition from basic web development to a more secure built-in security development.

    In the interim, directors and owners are caught staring like a “deer in headlights”.

    Small businesses are the perfect victims for the unscrupulous and this is directly linked to a small, and sometimes non-existent security budget. The unscrupulous are not after your information but want to use your systems as the middle man to break into others and more likely a mega-companies’ systems with more to lose.

    In other words, they are using your network to frame you.

    The big problem for the unwilling and unknowing middle man is that when a security forensic team shows up and uncovers what happened, law enforcement will be paying you a visit since it was your system, or someone you employ, that have been led to believe committed the crime.

    Many small businesses are simply not aware of how vulnerable their sites are to hackers. While developers in the past were not trained to build in security, their roles are changing. More certified training is being offered, which lays the basic foundation required by all developers to produce applications with greater stability, posing lesser security risks to the end-user.


    The MONEY® Network