Mike Regan & Alex KellerSystems Administrators Academic Technology San Francisco State University
When purchasing hardware, software, or services your greatest leverage with the vendor is BEFORE YOU BUY. Establishing a solid rapport during the pre-sales process is critical.
What types of security testing have you performed? Do you have a security contact/team we can speak with? Has your device/software/service been penetration tested? What where the results? What protocols and ports are used/required for the functionality required? What sort of authentication, authorization, and encryption technologies do you employ?
Obtain a demo/trial system and perform your own evaluation: • What network interfaces does it have? (Physical inspection) • What ports are exposed? (Nmap port scan) • Is data encrypted in transit? (Wireshark) • Are there any records in the public vulnerability databases? • Google search?
Ifyou find something interesting, share it with the vendor. Is their response antagonistic, dismissive, ambivalent, or responsive? Their response can tell you a lot about how mature their approach to IT security is. Product selection is as much an emotional process as a technical one, how do you feel about the vendor? Are they transparent and forthright?
Ifa full penetration test is merited (planned deployment in a high security environment), establish protocol for the testing in writing from the vendor.
“Vulnerabilities are going to be discovered. The good guys will discoversome and the bad guys will discover some. …All parties interested inimproving the state of information security are going to have to cometogether and compromise. We must find a way to address the issues.Vendors must be notified and held to timely patch development. Thecustomer must be given the information they need to defend theirsystems. Credit and possibly compensation needs to be given to thediscoverer. Finally every effort must be made to keep automated attacktools out of the hands of script kiddies. Only by addressing these keyissues can we make theInternet more secure.”Stephen Shepherd, SANS:http://www.sans.org/reading_room/whitepapers/threats/define-responsible-disclosure_932
The principles of „secure before you buy‟ can be applied to servers, workstations, laptops, handheld devices, network equipment, operating systems, software, and services….but for the purposes of a scoped discussion, we are going to focus on the rapidly proliferating world of Appliances.
Purpose built closed system. Embedded OS (Linux, BusyBox, Android, Windows, Java) No traditional console, configuration is typically done by web page, ssh, or serial, or USB drive. Single function with an emphasis on stability.
Video streaming set top boxes Environmental controls (Lighting, HVAC, etc.) Alarm and video surveillance systems Network storage Ancillary device control (projectors, screens, lighting etc.)
• System could be used to interrupt legitimate services (denial of service attack).• System could be used to provide covert illegitimate services (illegal file sharing).• System could expose of sensitive information.• System could be used as a launch or pivot point to attack other systems or perform reconnaissance.• Sabotage.