A few days ago I received an email from an MLS – just a “heads up” that their website was serving up malware to visitors. They hadn’t patched some of the software they had installed on their web server, and someone took advantage of the vulnerability. I think they’ll be patching religiously from now on, and they’ll surely look deeper for other vulnerabilities as well. But others can learn from this mistake.
I was curious how many other MLS and broker sites might be vulnerable to similar attacks, so I did some research. The results were concerning. Whenever a web page is requested, most web servers report on which platform version they are running. It’s not displayed in the browser, but if you have a browser plugin like the Firefox Web Developer Plugin, you can see what is reported. So, I visited the websites of the top 50 largest MLSs (by subscriber count) to see what percentage self-reported being on old or insecure web server platforms, and found 28% of those MLSs were in need of an upgrade or patch. Doing the same for the top 50 largest brokers (by transaction volume), I found that 46% were in a similarly bad situation.
Somewhere, an MLS executive or broker just read the preceding paragraph and thought to themselves, “Those darn techies!” But although the problem may seem like it is technical in nature, I assure you that this is an issue for management, not the “geeks.” I bet that most, if not all, of these technical flaws can be tied back to management that:
- has not formalized organizational security policies and procedures,
- does not have a procedure in place for monitoring policy compliance,
- has not put security requirements in place with vendors in their contracts, and
- has not arranged for a security audit in the past year or two.
This web server test I did is just the tip of the iceberg. Any of the organizations that passed this test may have other issues, and the ones that failed this test – let’s just say it’s likely they have other issues as well.
The security incident just reported to Clareity was not the first I’d heard about this year, and I doubt it will be the last. I’d rather there be no more incidents this year – I would much rather help clients assess and address their security vulnerabilities before they became incidents.
Please call me at 612-747-5976 or email firstname.lastname@example.org – if it has been a while since your last security audit let’s schedule one and work together to reduce the risks for your organization.
Share this post: