The past year has been very eventful in the area of real estate information security and in the security space in general.
Wire Fraud has been a hot topic in real estate this past year. Clareity has been working directly with brokers to implement controls and has also been working with franchises, broker networks, MLSs, and Realtor® associations to provide broker education on the subject. Please continue to share Clareity’s thorough guidance on this subject: “Reducing the Risk of Real Estate Wire Fraud” and reach out if you are interested in having us present on the subject.
Phishing and spear-phishing activity has been increasing significantly. Phishing is the practice of sending emails designed to induce recipients to visit a site where their computer may get infected with malware, or to reveal personal information such as passwords or credit card numbers. Usually, the recipient is fooled into doing this because the email appears to come from a company they know and trust. Spear-phishing takes this a step further, by making it appear that the email is from someone the recipient knows and is about something relevant to the recipient (e.g. an offer on a property the recipient has listed) in order to get them to take a specific action or divulge confidential information. While phishing and spear phishing have affected every area of our industry, it’s also one of the many vectors for wire fraud. It is difficult to educate employees and contractors to look critically at emails and other types of messages, to consider whether to confirm an email with a call or text message to a well-established phone number, to look at links before they click through, and to look carefully at a URL once they have clicked through. Clareity has been using various education tools with clients, and by using them, these organizations have been able to decrease employee and contractor receptiveness to phishing attempts.
Malware has become one of the most common threats in the industry. Malware has disrupted quite a number of organizations, at least temporarily. It has also been embarrassing for organizations whose websites have been defaced to distribute the malware to visitors. There are many, many steps that can be taken to prevent malware from taking root. First, workstations and servers need to be kept up to date with security patches – for operating systems, web server platforms, and other installed software (Acrobat, Flash, Java, etc.). As Clareity has previously published in its ongoing benchmark study, more than a quarter of our industry’s top web sites are running on known vulnerable web servers – we need to do better! There are also many best practices that need to be implemented to configure operating systems and platforms to be less vulnerable. One of the many aspects of Clareity’s security assessments is to ensure clients follow checklists developed by the military to ensure this configuration is optimal. Proper firewall configuration is also crucial, and we’re talking about firewalls that act as a “network traffic cop” – not the software they call a firewall that is built into your computer. Unfortunately, there’s no one-size-fits-all advice for firewall configuration – but at a high level the firewall must only allow mission-critical network traffic in and out of an office and must also be configured to carefully control traffic between workstations, servers, and visitors. Of course antivirus and anti-malware software should be implemented and having and testing multi-generational backups means that when malware strikes there’s a way to recover.
Web Application Security in our industry is non-optimal. When engaged to test websites as part of a security assessment, Clareity is still finding too many vulnerabilities – “cross-site scripting”, “SQL injection”, and more. Clareity is also seeing some APIs – especially those used for mobile apps – that don’t require authentication for access. It’s trivial for the “bad guys” to scrape the data off of these APIs and websites too. Our industry still has not taken reasonable steps to block screen-scraping consistently and that problem isn’t going away just because it has been ignored by many in the industry. Clareity is working on developing draft policy with regard to screen-scraping based on technical standards. It’s taking too long for vendors to fix application security problems when they’re found. Clareity has been having clients include compliance with OWASP standards in their vendor contracts for a few years now, and going forward contracts Clareity helps to negotiate will refer to specific levels of, and features of, the OWASP Application Security Verification Standard. It’s not perfect but it’s as good a standard as there is at the present, and one can always augment references to it with other security requirements specific to particular types of real estate applications.
“BYOD” stands for “bring your own device,” which is what many organizations allow employees and contractors to do, storing company information on computers, laptops, tablets, and phones that may not have any security enabled whatsoever. Such devices are lost or stolen all the time and, by law in most states, depending on the data accessible on or with that device, a lost device with no lock screen and encryption may mean reputation-ruining breach notification notices need to be sent out! Implementing a “BYOD” Policy that outlines what security steps need to be taken if personal devices are used to store company information or control access to it is going to become increasingly important going forward. This is but one of a number of information security policies that organizations may need to put in place.
Strong authentication is becoming more important than ever, both because of the rise of Single Sign-on (SSO) in our industry as well as the phishing issue. Clareity will be adding an additional, newly patented, form of biometrics to its SAFEMLS Plus authentication solution and will provide additional forms of proactive strong authentication options for customers and their users in 2017. If your organization is ready to consider improving authentication, contact Clareity.
Most of the preceding would not have been news for Clareity’s Security Assessment clients, who have taken a more comprehensive look at their security practices are are taking steps to reduce their risks. If you have an interest in becoming one of them and taking the first steps to manage risk for your organization, please contact Clareity.
Share this post: