Corporate Offices

Cincinnati, Ohio
455 Delta Avenue, Suite 300
Cincinnati, OH 45226
T 800.448.1475
F 513.321.2780
Austin, Texas
1717 West 6th Suite 290
Austin, TX 78703
T 800.448.1475
F 513.321.2780

Clubessential
@ClubE_News

Top Ranked Clubs

Did you know that over 50% of the clubs ranked best in the nation by John Sibbald Associates have custom websites and services designed by Clubessential?
See The List
View Article
Current Articles
« Back Post Date: Tuesday, February 25, 2014, 9:00 AM
Are Your Financial Statements and Board Minutes Exposed on the Web?
In the early days of the Internet sensitive documents were protected passively by the fact that no one knew the URL of the sensitive documents. This “Passive Security” was marginally adequate at the time, but is no longer acceptable today. Read on to find out why.
SECURITY SERIES ARTICLE #1
Security Series Issue 1. This is the first of a series of articles on IT Security in the club industry that will be published in coming months by Dr. William D. Ivers, CEO of Clubessential.

Passive Security Makes Pages and Documents Vulnerable

Documents stored on the Internet are accessed by clicking on a link, or, if you know the address associated with this link (the “URL”), you can enter it into your browser and the document or webpage will appear.

In the early days of the Internet sensitive documents were protected passively by the fact that no one knew the URL of the sensitive documents. This “Passive Security” was marginally adequate then because few people were trying to steal information – today it is woefully inadequate. Passive Security is based on keeping the URL of the document or page secret – here are some reasons why this approach is vulnerable:

   — Suppose someone copies a link from the private side of your website and posts it on a blog? Google will see that link and index it, exposing the sensitive document or page on the web.
 
   — Suppose the technical team that works on your website accidentally marks a page “public” for a few minutes – chances are, Google will find that page while it is available and index it – any links to sensitive documents on that entire page would be exposed even after the page was returned to a private status.
 
   — Accidental exposure of sensitive page and document URL’s to indexing can happen many ways and is very common. Virtually every club in the world has some such links inadvertently exposed on the web.
 
   — Beyond such accidental exposure of URL’s, there is a much more dangerous problem. Every website vendor stores sensitive documents and pages in a standardized way, creating URL addresses with component parts that can be predicted. A standard page for listing a whole library of documents might have a URL that includes the domain name followed by the words “/documentlist.” Anyone searching for /documentlist would suddenly get an extended list of links to potentially sensitive documents, even though that page had never been found or indexed by Google. You might ask: “How would anyone ever know to use /documentlist?” The answer is easy: any member of any club hosted by that same vendor can look at their own club’s website and see immediately what naming structure for the URL's is used by that vendor. Substitute a different domain name and that member will be looking at some other club’s sensitive documents. Also, accidentally exposed links that are indexed can easily be found and those examples can reveal the internal naming structure of the links for a given vendor.

In summary, documents and pages protected only by Passive Security are vulnerable because the URL's can be accidentally compromised, or, more importantly, they can be systematically created from easily determined rules. URL's are not treated like passwords – they aren’t encrypted nor protected from abuse – so we should not count on their confidentiality to protect our sensitive documents.

Positively Locking Documents and Pages

The confidentiality of sensitive documents and pages can be preserved by adding “Positive Locking” – a more sophisticated security layer that does not passively depend on the secrecy of URL addresses. If a page or document is Positively Locked, it will only display if the user had previously signed in to the website using their password and username – even if the viewer has accurately guessed the URL address or the link had been accidentally exposed to Google.

Obviously no one wants their financial statements or other sensitive documents exposed on the web. Such documents should be “Positively Locked” by the website provider in such a way that only “authenticated” members and staff, after entering passwords, can see them. Security breaches can occur when a sensitive document remains unlocked (or if the vendor doesn’t ever lock any documents). We at Clubessential learned this the hard way a few months ago when an enraged client called because their board minutes were visible on the web. It turned out that this client had, many years previously, installed a module to display a list of documents which at the time were not sensitive and so the list was set to “unlocked.” Later the list was used for sensitive documents, but no one thought to check the lock setting. We corrected the problem immediately and then, just to be safe, performed a full audit of all similar list modules for all our clients to make sure their lock settings were correct – we found nearly a dozen additional examples out of 1,000 websites. This experience led me to think there might be many clubs that haven’t undergone such an audit who don’t realize they have sensitive documents exposed on the web. I organized a team to sample 200 club websites selected at random, searching for sensitive documents – over 30% of those we examined had exposed documents indexed by Google and nearly ALL of them had unlocked documents that could be reached by simple guesses of URL addresses! So don’t blindly trust that your documents are secure.

Here is how you can tell if your sensitive documents are locked down: Sign on to your website and go to the location in your website where you have a link to a sensitive document. Copy the URL address of that link. Close all your browser windows to make sure you are signed off. Open a fresh browser, but don’t sign in to your club website. Paste the link into your browser and see if you can see the sensitive document. If you can, your document is not locked down and is not secure.

Some website providers, including Clubessential, create webpages showing lists of documents, including links to each document. Here is how you can tell if your list of sensitive documents is locked down: Copy the URL to the list’s webpage. Close all browsers. Open a fresh browser and paste the URL. If you get to the list page without signing into your website, the list page itself is insecure. If the links on that list do not require you to enter a password to view the individual documents, then this entire list of documents is exposed on the web. Further, if the URL to this page is generic (for example, if it says “/DocumentList”) then every other user of this kind of website (e.g., your competitors) can deduce how to access your list of documents. If your financial statements are in this list, you have to assume your competitors can see them.

Every document, every page, every list of members, every list of staff, and, in general, every item on your website which has an associated URL address should be locked down (require a password) if it is your intent to keep the item private. You can test which items are “locked down” using the steps above. If you find unlocked sensitive items on your website, contact your provider right away before someone, perhaps from another continent, sneaks in and steals your information. Your board wouldn’t be happy to discover, for example, that all the members’ names, children, addresses and email addresses were publicly exposed, let alone the club’s financial statements.

The next email in this Security Series will discuss passwords and the simple steps you can take to make reasonably sure they are secure.



Authored by:
 
    DR. WILLIAM D. IVERS - CEO

Dr. Ivers has over 40 years experience in the software industry, 15 years of which have been in the private club industry.


 
© 2013 Clubessential, LLC     www.clubessential.com    |    Connect on LinkedIn    Follow Us on Twitter