The document provides guidance on how to securely purchase hardware, software, and services by performing security evaluations of vendors' products and services before buying, including asking about security testing performed, available demos to evaluate network interfaces and encryption, and establishing protocols for further penetration testing if needed. It focuses on applying these principles to securely purchasing network-connected appliances like security cameras.

1. Mike Regan & Alex Keller
Systems Administrators Academic
Technology
San Francisco State University

2.  When purchasing hardware, software, or
services your greatest leverage with the
vendor is BEFORE YOU BUY. Establishing
a solid rapport during the pre-sales
process is critical.

3.  What types of security testing have you
performed?
 Do you have a security contact/team we can
speak with?
 Has your device/software/service been
penetration tested? What where the results?
 What protocols and ports are used/required
for the functionality required?
 What sort of authentication, authorization,
and encryption technologies do you employ?

4.  Obtain a demo/trial system and perform your own
evaluation:
• What network interfaces does it have? (Physical inspection)
• What ports are exposed? (Nmap port scan)
• Is data encrypted in transit? (Wireshark)
• Are there any records in the public vulnerability databases?
• Google search?

5.  Ifyou find something interesting, share it with
the vendor. Is their response antagonistic,
dismissive, ambivalent, or responsive?
Their response can tell you a lot about how
mature their approach to IT security is.
 Product selection is as much an emotional
process as a technical one, how do you feel
about the vendor? Are they transparent and
forthright?

6.  Ifa full penetration test is merited (planned
deployment in a high security
environment), establish protocol for the
testing in writing from the vendor.

7. “Vulnerabilities are going to be discovered. The good guys will discover
some and the bad guys will discover some. …All parties interested in
improving the state of information security are going to have to come
together and compromise. We must find a way to address the issues.
Vendors must be notified and held to timely patch development. The
customer must be given the information they need to defend their
systems. Credit and possibly compensation needs to be given to the
discoverer. Finally every effort must be made to keep automated attack
tools out of the hands of script kiddies. Only by addressing these key
issues can we make the
Internet more secure.”
Stephen Shepherd, SANS:
http://www.sans.org/reading_room/whitepapers/threats/define-
responsible-disclosure_932

8.  The principles of „secure before you buy‟
can be applied to servers, workstations,
laptops, handheld devices, network
equipment, operating systems, software,
and services….but for the purposes of a
scoped discussion, we are going to focus
on the rapidly proliferating world of
Appliances.

9.  Purpose built closed system.
 Embedded OS (Linux, BusyBox, Android,
Windows, Java)
 No traditional console, configuration is
typically done by web page, ssh, or serial,
or USB drive.
 Single function with an emphasis on
stability.

10.  Video streaming set top boxes
 Environmental controls (Lighting, HVAC,
etc.)
 Alarm and video surveillance systems
 Network storage
 Ancillary device control (projectors,
screens, lighting etc.)

12. • System could be used to interrupt legitimate
services (denial of service attack).
• System could be used to provide covert
illegitimate services (illegal file sharing).
• System could expose of sensitive information.
• System could be used as a launch or pivot point to
attack other systems or perform reconnaissance.
• Sabotage.

17.  Vulnerability Databases:
• http://web.nvd.nist.gov/view/vuln/search
• http://cve.mitre.org/cve/cve.html
• http://www.cert.org
 Known Ports and Protocols (Internet
Assigned Numbers Authority):
• http://www.iana.org/assignments/service-names-
port-numbers/service-names-port-numbers.xml
 BackTrack
http://www.backtrack-linux.org

18. We welcome further correspondence on this
topic, please pass on our contact
information to your colleagues.
Mike Regan <gir@sfsu.edu>
Alex Keller <alkeller@sfsu.edu>

19.  VulnerabilitySearch:
http://cve.mitre.org/cve/cve.html
 IPCamera
http://128.210.72.31/view/indexFrame.sht
ml