Monday, September 27, 2010

Thanks to ISACA (still room for improvement though)

(Survey received from ISACA, also showing certain SMTP details)

On tuesday March 2, 2010, I published a blog post regarding a non-secure survey from ISACA. On tuesday September 21st, I received a new survey from ISACA, as the image above shows (slightly censored by me). To me it's important to both give and receive constructive feedback, good or bad. So here's to ISACA and Gary Bannister, THANK YOU!

Compared to my previous post as mentioned, this is much better! I also received a response from the media department of ISACA on March 26, stating that they would do some changes to the way they communicated to their members. Very good, clearly showing that they listen to their members! (Not everyone does that unfortunately....)

The survey received now contains a little more of what I asked for. Although this is a different survey with less sensitive questions to me and/or my employer, you are now using HTTPS to secure my communication with surveymonkey, and you have included personal contact details that i may use to verify the sender and purpose of this survey.

Still there are improvement opportunities as well. The e-mail was sent through Sparklist, now Lyris Inc (twitter/lyris). As the SMTP details shows, the e-mail was sent from them, thus using a "forged" sender pointing back to Gary Bannister at ISACA. I will again encourage you to read my previous blog post, in regard to what I do expect from a professional audit/security organisation (and others as well).

In the received e-mail you ask me to promote the survey to others, while at the front of the survey you say that "You have been selected to participate in this survey." Erm, well, not exactly, really?

As for Lyris; here's a free tip for you. Deploy STARTTLS support on your mailservers, using TTP encryption certificates. That way it will become easier for paranoid people like me to verify your company identity, your mail servers and possibly also better separate spam from the real stuff. I don't like mailservers without STARTTLS support:

Most importantly (to me); all e-mail (SMTP) commuication between me and you will be automatically and transparently encrypted, effectively making it just a bit harder for a lot of people to read e-mails containing sensitive information, links, usernames and passwords. A decent Linux consultant can configure such support on a Postfix server in 30 minutes, so cost is not much of an issue I guess.

Thanks to Gaute Lien (past president ISACA Norway chapter) for his involvement after my last post. Consider this a request for action from our new chapter president, mr Gaute Brynildsen.

No comments:

Post a Comment

All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.