• Like
  • Save
Regan, Keller, SF State Securing the vendor mr&ak
Upcoming SlideShare
Loading in...5
×
 

Regan, Keller, SF State Securing the vendor mr&ak

on

  • 658 views

 

Statistics

Views

Total Views
658
Views on SlideShare
658
Embed Views
0

Actions

Likes
0
Downloads
4
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Throw in the floor mats before you sign the papers.
  • ISO 9001quality and business management framework
  • Matrix with values to quantify how you feel about it.
  • Their response will tell you a lot about them.If they are antagonist, they may be uninformed or trying to hide something. Share/compare your penetration test results with the vendor. Buying decisions are usually emotional not logical. You’re going to buy the product you feel the best about. This should help you get a better feeling for the most secure one.
  • Washing machine. Closed systems present a unique security challenge in that the customer has little visibility into the device.Depend on the Maytag repair man for fixes.
  • http://72.55.9.132/#http://70.119.185.121/user_view_S.htmintitle:”Toshiba Network Camera” user login

Regan, Keller, SF State Securing the vendor mr&ak Regan, Keller, SF State Securing the vendor mr&ak Presentation Transcript

  • Mike Regan & Alex KellerSystems Administrators Academic Technology San Francisco State University
  •  When purchasing hardware, software, or services your greatest leverage with the vendor is BEFORE YOU BUY. Establishing a solid rapport during the pre-sales process is critical.
  •  What types of security testing have you performed? Do you have a security contact/team we can speak with? Has your device/software/service been penetration tested? What where the results? What protocols and ports are used/required for the functionality required? What sort of authentication, authorization, and encryption technologies do you employ?
  •  Obtain a demo/trial system and perform your own evaluation: • What network interfaces does it have? (Physical inspection) • What ports are exposed? (Nmap port scan) • Is data encrypted in transit? (Wireshark) • Are there any records in the public vulnerability databases? • Google search?
  •  Ifyou find something interesting, share it with the vendor. Is their response antagonistic, dismissive, ambivalent, or responsive? Their response can tell you a lot about how mature their approach to IT security is. Product selection is as much an emotional process as a technical one, how do you feel about the vendor? Are they transparent and forthright?
  •  Ifa full penetration test is merited (planned deployment in a high security environment), establish protocol for the testing in writing from the vendor.
  • “Vulnerabilities are going to be discovered. The good guys will discoversome and the bad guys will discover some. …All parties interested inimproving the state of information security are going to have to cometogether and compromise. We must find a way to address the issues.Vendors must be notified and held to timely patch development. Thecustomer must be given the information they need to defend theirsystems. Credit and possibly compensation needs to be given to thediscoverer. Finally every effort must be made to keep automated attacktools out of the hands of script kiddies. Only by addressing these keyissues can we make theInternet more secure.”Stephen Shepherd, SANS:http://www.sans.org/reading_room/whitepapers/threats/define-responsible-disclosure_932
  •  The principles of „secure before you buy‟ can be applied to servers, workstations, laptops, handheld devices, network equipment, operating systems, software, and services….but for the purposes of a scoped discussion, we are going to focus on the rapidly proliferating world of Appliances.
  •  Purpose built closed system. Embedded OS (Linux, BusyBox, Android, Windows, Java) No traditional console, configuration is typically done by web page, ssh, or serial, or USB drive. Single function with an emphasis on stability.
  •  Video streaming set top boxes Environmental controls (Lighting, HVAC, etc.) Alarm and video surveillance systems Network storage Ancillary device control (projectors, screens, lighting etc.)
  • • System could be used to interrupt legitimate services (denial of service attack).• System could be used to provide covert illegitimate services (illegal file sharing).• System could expose of sensitive information.• System could be used as a launch or pivot point to attack other systems or perform reconnaissance.• Sabotage.
  •  Vulnerability Databases: • http://web.nvd.nist.gov/view/vuln/search • http://cve.mitre.org/cve/cve.html • http://www.cert.org Known Ports and Protocols (Internet Assigned Numbers Authority): • http://www.iana.org/assignments/service-names- port-numbers/service-names-port-numbers.xml BackTrack http://www.backtrack-linux.org
  • We welcome further correspondence on thistopic, please pass on our contactinformation to your colleagues. Mike Regan <gir@sfsu.edu> Alex Keller <alkeller@sfsu.edu>
  •  VulnerabilitySearch: http://cve.mitre.org/cve/cve.html IPCamera http://128.210.72.31/view/indexFrame.sht ml