Inman

Security gurus spread the word

Editor’s note: In this four-part series, Inman News looks at real estate security in the Internet era. It’s no longer just a matter of keeping clients’ home keys in a safe place. The Web has opened up vulnerabilities to data scraping, and new responsibilities for consumer privacy, MLS passwords and lockbox pass codes. (See Part 1: Real estate industry steps up MLS security; Part 2: Keep real estate clients’ private info private and Part 3: Getting a grip on real estate data scraping.)

While performing a recent security audit for a real estate company, Clareity Consulting executives took over the company’s video conferencing system using a default password and said they could see and hear the boardroom – and all the confidential business discussions taking place there – just fine.

That’s just one of the horror stories the company has from performing security audits for the industry over the years. In another recent audit, Clareity found an old vendor “back door” account and walked into the audit with a spreadsheet of all user account names and passwords.

“We’ve seen everything you can imagine,” said Matt Cohen, Clareity’s chief technologist.

Security of real estate data has become a hot-button topic among high-level executives and industry organizations now that the Internet has become a huge medium for exchanging real estate information. More people are aware of problems that can arise from lax security of sensitive real estate data. In some cases, experts say, the companies may even be liable for misuse of that data once it is leaked.

Clareity has taken an active role in real estate security since 1998, when the consulting company produced the “Law and Order in Information Commerce” conference in Tucson, Ariz. Industry leaders, attorneys and others gathered to discuss MLS database copyright issues, secure delivery of MLS information, the government’s role in information security, consumer privacy, and establishing Internet use policies, among other topics.

Since that time, Clareity has provided IT security advice and consulting services for MLS vendors, regional MLSs and large brokerages.

The company’s primary security service is an audit, in which it assesses a company’s security vulnerabilities and advises managers on better security decisions.

“When I’m on security audits, I am mainly worried about the backdoor and sidedoor entrances to a company’s system,” Cohen said, referring to ways to get in that a hacker could instantly spot, but that most company employees would never notice.

But there are other more obvious problems, such as employees sharing passwords with non-authorized users, or keeping passwords that are easy to guess or written on post-it notes taped to their computer monitors.

Clareity has made a big push for higher security standards and education in the real estate industry. The consulting company in 2004 partnered with Secure Computing, a global security products and service provider, to provide real estate professionals with a new security system for MLS and real estate-related data. The partnership now offers a user authentication product for MLSs in a variety of token forms.

The token method adds an extra layer of password security, requiring a user to have both an object and a password – much like an ATM card. Such tokens already are being implemented at MLSs nationwide, according to Clareity CEO Gregg Larson.

“We’ve also seen a large number of MLSs implement a password policy where they’re making people change their password for the first time,” Larson said. “That’s a real positive step and we think over time most of the MLSs will come up with a technical solution.”

Some MLSs that have implemented a password token system have reported to Clareity that their membership grew by as much as 20 percent afterwards. Whether that was a direct result of people who were using other people’s passwords to get in now having to become members is unclear.

Clareity has been trying to educate more real estate executives on the different aspects of security they need to consider. The company is holding an all-day workshop during Inman News’ Real Estate Connect conference in San Francisco on July 27, 2005, and will provide executive-level content as well as in-depth content for IT staff.

Security is an ongoing process, Larson said, involving regular assessment and risk mitigation and making good business decisions. It’s tough to get people on board at first, he said, because they don’t want to find out they have existing problems to address.

A common problem among all companies is that executives put the task of IT security on their IT staff, which Larson and Cohen say is “doomed to failure.” Most IT staff are too busy with maintaining day-to-day needs and don’t have the time to properly deal with IT security. It’s up to executives to take the first step in the long-term process of improving security, and that’s one of the reasons they are pushing for more security education.

Some other problems the consultant has encountered while performing audits include unprotected FTP servers where the entire MLS database could be downloaded, and transaction management system application flaws that allowed a user with low privileges to gain access to every file in the system.

Cohen and Larson say that the point of security awareness is not to respond to specific vulnerabilities people may read about, but to implement policies and procedures that create a broad defense against the many IT security threats that constantly emerge.

“It’s never about solving the problem, it’s all about making the appropriate business decisions to reduce the risk,” Cohen said.

***

Send tips or a Letter to the Editor to jessica@sandbox.inman.com or call (510) 658-9252, ext. 133.