Regan, Keller, SF State Securing the vendor mr&ak

694 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
694
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Throw in the floor mats before you sign the papers.
  • ISO 9001quality and business management framework
  • Matrix with values to quantify how you feel about it.
  • Their response will tell you a lot about them.If they are antagonist, they may be uninformed or trying to hide something. Share/compare your penetration test results with the vendor. Buying decisions are usually emotional not logical. You’re going to buy the product you feel the best about. This should help you get a better feeling for the most secure one.
  • Washing machine. Closed systems present a unique security challenge in that the customer has little visibility into the device.Depend on the Maytag repair man for fixes.
  • http://72.55.9.132/#http://70.119.185.121/user_view_S.htmintitle:”Toshiba Network Camera” user login
  • Regan, Keller, SF State Securing the vendor mr&ak

    1. 1. Mike Regan & Alex KellerSystems Administrators Academic Technology San Francisco State University
    2. 2.  When purchasing hardware, software, or services your greatest leverage with the vendor is BEFORE YOU BUY. Establishing a solid rapport during the pre-sales process is critical.
    3. 3.  What types of security testing have you performed? Do you have a security contact/team we can speak with? Has your device/software/service been penetration tested? What where the results? What protocols and ports are used/required for the functionality required? What sort of authentication, authorization, and encryption technologies do you employ?
    4. 4.  Obtain a demo/trial system and perform your own evaluation: • What network interfaces does it have? (Physical inspection) • What ports are exposed? (Nmap port scan) • Is data encrypted in transit? (Wireshark) • Are there any records in the public vulnerability databases? • Google search?
    5. 5.  Ifyou find something interesting, share it with the vendor. Is their response antagonistic, dismissive, ambivalent, or responsive? Their response can tell you a lot about how mature their approach to IT security is. Product selection is as much an emotional process as a technical one, how do you feel about the vendor? Are they transparent and forthright?
    6. 6.  Ifa full penetration test is merited (planned deployment in a high security environment), establish protocol for the testing in writing from the vendor.
    7. 7. “Vulnerabilities are going to be discovered. The good guys will discoversome and the bad guys will discover some. …All parties interested inimproving the state of information security are going to have to cometogether and compromise. We must find a way to address the issues.Vendors must be notified and held to timely patch development. Thecustomer must be given the information they need to defend theirsystems. Credit and possibly compensation needs to be given to thediscoverer. Finally every effort must be made to keep automated attacktools out of the hands of script kiddies. Only by addressing these keyissues can we make theInternet more secure.”Stephen Shepherd, SANS:http://www.sans.org/reading_room/whitepapers/threats/define-responsible-disclosure_932
    8. 8.  The principles of „secure before you buy‟ can be applied to servers, workstations, laptops, handheld devices, network equipment, operating systems, software, and services….but for the purposes of a scoped discussion, we are going to focus on the rapidly proliferating world of Appliances.
    9. 9.  Purpose built closed system. Embedded OS (Linux, BusyBox, Android, Windows, Java) No traditional console, configuration is typically done by web page, ssh, or serial, or USB drive. Single function with an emphasis on stability.
    10. 10.  Video streaming set top boxes Environmental controls (Lighting, HVAC, etc.) Alarm and video surveillance systems Network storage Ancillary device control (projectors, screens, lighting etc.)
    11. 11. • System could be used to interrupt legitimate services (denial of service attack).• System could be used to provide covert illegitimate services (illegal file sharing).• System could expose of sensitive information.• System could be used as a launch or pivot point to attack other systems or perform reconnaissance.• Sabotage.
    12. 12.  Vulnerability Databases: • http://web.nvd.nist.gov/view/vuln/search • http://cve.mitre.org/cve/cve.html • http://www.cert.org Known Ports and Protocols (Internet Assigned Numbers Authority): • http://www.iana.org/assignments/service-names- port-numbers/service-names-port-numbers.xml BackTrack http://www.backtrack-linux.org
    13. 13. We welcome further correspondence on thistopic, please pass on our contactinformation to your colleagues. Mike Regan <gir@sfsu.edu> Alex Keller <alkeller@sfsu.edu>
    14. 14.  VulnerabilitySearch: http://cve.mitre.org/cve/cve.html IPCamera http://128.210.72.31/view/indexFrame.sht ml

    ×