May 30, 2019
Vendor Device (In)Security – WST
Most IT environments have some sort of vendor configured devices on them. From security cameras or copiers, to core application servers, you probably have at least one device on your network that your vendor setup for you. Now, hopefully the solution they installed is working well…but is it secure?
We have the privilege of evaluating a lot of environments and have seen many well-designed vendor systems… and we have also seen some, well, not so well-designed systems. The problem is, many installation techs are primarily concerned with one thing: making it work as quickly as possible. Security is often an afterthought, if it is thought about at all.
Some unfortunate vendor-introduced security risks we have seen during security assessments:
- Security cameras accessible to the world without requiring a password
- Remote Desktop Protocol (RDP) allowed inbound directly to a Domain Controller
- A popular core vendor that setup a critical server with the C: drive shared (Read/Write) with everyone
- Banks that could browse other banks’ networks through vendor connections
The point is that any vendor, no matter how thorough, can sometimes slip up. Don’t assume anything. At the end of the day, it is the institution’s responsibility to ensure all systems are secure. This means proper vendor oversight. After selecting the right vendor, you should ask for documentation on how they hardened (i.e., secured) the system during installation. Additionally, make sure they provide good change logs so you know when they have made changes and can make sure the changes didn’t introduce new vulnerabilities.
Finally, your internal audit program (or independent IT auditor) should include not only reviews of documentation, but actual spot checks of vendor systems to make sure they are properly and securely configured.