At its most basic, security always consists of trade-offs.
Many organizations find a natural tension between marketing and security. The security folks warn that publishing too much information about how the company does business and with whom makes it way too easy for phishers and other scammers to target your customers.
The marketing folks, quite naturally, often have a different perspective: The benefits of publishing partner data far outweigh the nebulous risks that someone may abuse this information.
So the question is, at what point does marketing take a backseat to security at SaaS firms when their customers are being phished?
Is it even reasonable to think that determined attackers would be deterred if they had to pore through press releases and other public data to find a target list?
When Krebs first approached Workday in researching this column, he did so in regard to an alert they emailed customers earlier this month. In the alert, Workday warned that customers using single-factor authentication to access Workday were being targeted by email phishing campaigns.
The company said there was no evidence to suggest the phishing a result of the Workday service or infrastructure, but rather it was the result of phishing emails where individuals at customer organizations shared login credentials with a malicious third party. In short, they’d been phished.
Workday advised customers to take advantage of the company’s two-factor authentication systems, and to enable secondary approvals for all important transactions.
All good advice, but Krebs also challenged the company that it maybe wasn’t the best idea to also publish a tidy list of more than 800 customers on its Web site. He also noted that Workday’s site makes it simple to find an HTML template for targeted phishing campaigns.
Just take one of the companies listed on its site and enter the name in the Workday Sign-in search page. Selecting Netflix from the list of Workday customers, for example, we can find Netflix’s login page:
Oh wait, something very similar just happened earlier this month.
In the first week of May, phishers began sending Google Docs phishing campaigns via Gmail disguised as an offer to share a document. Recipients who fell for the ruse ended up authorizing an app from Google’s OAuth authentication interface — i.e., handing crooks direct access to their accounts.
Before we go further, Krebs points out that it is not his intention to single out Workday in his post: There are plenty of other companies in its exact same position.
The question he explores is at what point does marketing get trumped by security? For Krebs, the juxtaposition between Workday’s warning and its priming the pump for phishers at the same time seemed off.
Workday wasn’t swayed by Krebs logic, and they referred him to an industry analyst for the finer points of that perspective.Workday wasn’t swayed by Krebs logic, and they referred him to an industry analyst for the finer points of that perspective. Click To Tweet
Michael Krigsman, a tech analyst and host at cxotalk.com, said he often advises smaller companies that may be less sophisticated in their marketing strategies to publish a list of customers on their home pages.
“Even when it comes to larger companies like Workday, they’re selling so many seats that this information is highly public knowledge and very easy to get,” Krigsman said. “If you’re interested in Workday’s customer lists, for example, you can easily find that out because Workday puts out press releases, their customers put out press releases, and this gets picked up in the trade press.”
Continue Reading At Krebs On Security