Protecting Yourself with Web 2.0 CRM

Updated: August 20, 2012

Issue

 

Web 2.0 is a catchphrase that many new technologies use to make the Web appear a friendlier, more powerful place and help users be more productive.

Unfortunately, the phrase makes identity thieves, crackers, phishers and other criminals more industrious as well. Web 2.0 does not so much introduce new kinds of computer crime as it exposes new vulnerabilities to old types of criminal activity.

In 2007, users of Salesforce.com's online CRM application got a lesson in Web 2.0 security when tens of thousands of their customers were hit with phishing attacks. The catastrophe began when criminals stole the online identity of a Salesforce.com employee through a phishing attack. (Phishing uses phony emails to trick customers into revealing sensitive data, such as passwords.) In this case, phishers used the Salesforce.com ID to grab one or more customer-contact lists of Salesforce.com clients. The result was thousands of dollars in losses and damaged trust between the CRM users and their clients.

The lesson here is that CRM users have to take steps to protect themselves when employing the online features of modern CRM. Doing so takes some awareness and a certain amount of technical sophistication, but it is not difficult.

 

Analysis

 

Although the details of some of threats, especially Web 2.0 attacks, can be extremely complex, the most important way to protect yourself, your company and your customers does not involve technology at all. It relies on good, old-fashioned awareness. Awareness and education are not substitutes for protective measures like firewalls and filters, but all security software is useless without them.

The people who use your CRM system must always be aware of the potential for security breaches and be on the lookout for red flags. This is important because many offenses rely on what is euphemistically called "social engineering" — tricking users into cooperating with phishers by downloading an attachment, opening a file or visiting a booby-trapped Web site.

The reason online criminals are desperate to get individuals to play along is that basic protections such as firewalls and anti-virus programs have much improved over the last few years. It is much more difficult today to slip malware like password-stealing programs into computers unless the users cooperate. As a result, the attacks are getting more creative in trying to get people to click infected links or open bad attachments.

The Salesforce.com attack is an example of "spear-phishing" — highly targeted phishing attacks based on detailed information about victims and their business relationships. Spear-phishing is more effective than normal phishing because emails contain much more specific information about the victim, lulling them into a false sense of security.

The lesson is: Don't get lulled. Treat all emails skeptically, especially those that include attachments. No matter how legitimate the address or how convincing the email is never, ever open the attachment or click the link without checking. If it is an urgent communication supposedly from a business partner, send a quick email back to the "sender" at a known email address to double-check that he or she did in fact send the message.

Keep in mind that government agencies and corporations will never send emails asking for sensitive information like account numbers. Nor will government agencies, or most businesses, send unexpected emails containing attachments or links to a Web site. The most they will do is include the name of their Web site and a case number, and ask you to visit.

One of the novelties Web 2.0 introduces into modern CRM are applications written using AJAX (Asynchronous Javascript and XML). From the user's standpoint, AJAX is important because it lets CRM vendors offer richer, more responsive applications that make CRM systems more efficient. AJAX also allows CRM programs to include various features to help boost sales.

AJAX applications convert a user's computer from a dumb terminal to an active partner in the process. In effect, AJAX divides CRM applications in two and runs half on the user's computer and half on the company server.

One issue with AJAX applications is that they do not introduce new kinds of security threats. They do, however, provide more attack points into the CRM system.

The other problem with AJAX applications is that the people writing them are not security-conscious. AJAX is a new technology, which means it is not as completely understood as conventional application environments. Typically, the people writing AJAX applications are Web developers (rather than programmers) who, as a class, are not particularly aware of security issues.

Most of these flaws must be addressed by the application developer rather than the customer. While there are some measures customers can adopt to reduce risk, most are temporary fixes rather than real solutions.

"I get kind of sad when I'm asked [about what customers can do to secure their CRM applications]," said Billy Hoffman, manager of HP Systems Security Labs, the Atlanta-based Web-security research department at Hewlett-Packard Development Company, L.P. "This is the part of my job where I feel bad because there are no good answers," he said.

 

Recommendations

 

Billy Hoffman, manager of HP Systems Security Labs, the Atlanta-based Web-security research department at Hewlett-Packard offered some advice on how you can protect yourself, although these measures are hardly absolute. If a user does not have control over the way the application is written, the resulting security effort is like putting a chain-link fence around the problem. That is, it provides some protection, but it cannot be reliably secure.

One thing you can do, Hoffman said, is choose a CRM application that provides a high level of security. One of the best ways to verify this is to ask about the CRM application's compliance with various appropriate security standards."For instance, OWASP (the Open Web Application Security Project) has a list of top 10 vulnerabilities [in Web applications]," said Hoffman. "One question you can ask is, ‘How are you in compliance about the OWASP top 10?' How are passwords stored, what type of access rules do you enforce? Is there some kind of access-control system? Ask how granular it is. A lot of times looking at feature set of an application can give you an idea of how secure it is."

There are also tools available to improve the security of pre-written applications. For example, a plug-in called NoScript for Mozilla's Firefox browser can block JavaScript scripting language on your computer. You will have to specifically enable every JavaScript application you want to run. This is helpful because many Web 2.0 attacks require the use of malicious JavaScript. But it is not foolproof. NoScript requires a modicum of knowledge to apply effectively because the user has to distinguish between good and bad JavaScript. Also, some users find it annoying to have to authorize JavaScript every time they want to access a site.

On the server end, Hoffman suggested using a proxy server, such as The Apache Software Foundation's Module mod_proxy, with a whitelist of allowed addresses. The proxy server will automatically filter out sites that are restricted and presumed to be malicious. He noted, however that this approach is only as good as the list of allowed addresses and takes some work to maintain.

Related to proxy servers are application firewalls, or intrusion-detection systems, which are designed to enforce protection policies for specific applications, such as CRM. Products like Imperva, or IPS-1 from Check Point Software Technologies, Ltd. and IBM Corp.'s Proventia allow you to control access to applications and choose what kinds of traffic can pass to and from the application. That includes blocking specific files or file types from being downloaded — such as complete customer-contact lists.

Hoffman said that none of these tools are as secure as a well-designed Web application, but they do allow users to add additional security to their CRM application.

Ultimately, the answer to Web 2.0 CRM security lies with the CRM vendors themselves. Hoffman said they are beginning to get the idea. In two or three years, he predicted, security on Web 2.0 applications like CRM will greatly improve.

In the meantime, security education combined with the available software is a good defense.

Featured Research