March 24, 2021

The company I work for doesn’t seem to care about CyberSecurity. How can I make them more aware?

Not sure if this is the right place to post this, so remove if not allowed but I can’t think of anywhere to go for advice which couldn’t be traced back to me or my place of work.

The part of the company I work for specialises in software development in Windows Applications.

Aside from the fact that the software stores the passwords for each user to use the software as plain text in the database, we also have a publicly accessible SOAP Web Service on a Windows Server 2008 R2 with no private key required which can be used to licensed the software and recover passwords via an email sent from out servers. This doesnt ask the user to reset the password it literally just sends the user name and password to the email specified in the call to the function. There’s also an SQL Server database on the server that hosts this that contains all our data, jobs, invoicing, customer accounts and subscriptions, as well as logins for any cloud databases we have created.

We have around 1000+ clients in about 30 countries. They also have the option to upgrade to our “Cloud” system which uses another SOAP Web Service to check changes between the local SQL Express 2008 database with the one on the Azure Windows Server 2012 that hosts the service.

Yesterday after getting swamped with calls I noticed that all our clients cloud databases were in single-user mode which we’ve encountered in local databases when a restore failed.

After some investigating I noticed that the SQL Server where the cloud databases are is publicly accessible through web address e.g. “webaddress.azure.comSQLSERVER” provided you would use “sa” as the username and know the password that we our company uses for everything else.

These databases contain information about our clients livelihood as well as any contact information for themselves or others that they’ve stored using our software.

I’ve raised this issue with them and mentioned that if someone were to take the time to decompile The DLLs that our software provides, they could find out our passwords from connection strings and the web address and SQL instance name on our Cloud server, but they don’t seem to care.

Some of our customers are very nice people. How bad is the security of our services and how at-risk is our data and clients data?

Comments

autogeneses

Give us the name

jumpinjelly789

Money talks. If your customers find out their data has been in a breach of because the vendor used such bad practices.

You should ask management if they could survive bad pr over this and risk losing 50% or more of their customer base.

Only thing is that unless someone outside the company publishes the breach the customers will never know and the company will do everything they can to not disclose it.

If that happens they could face large fines from government(s) for not disclosing the breach.

FullContactHack

Run a phishing test. Talk ransomeware mitigation’s.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.