vendors and security...coalfire – security/pci request #1 – blanket white list our ip addresses...
Post on 14-Jul-2020
1 Views
Preview:
TRANSCRIPT
Vendors and
Security
Robert Smith
Sr. Director Technology
Student Affairs
Technology Services
The views expressed are my own.
Opinions expressed are solely my own and do not express the
views or opinions of UCR. Use at your own risk.
Technology Services (IT)
Support all things Student Affairs
Except SIS
40+ departments – from Early Academic
Outreach to Admissions to Financial Aid to
SHS/CAPS to Dinning/Housing
~1,200 FTE
~22,000 Students
7x20x350
IT ~32 staff
~120 applications - ~60 CoTs, ~60 Custom
Nothing prepared me Internal culture – if it worked – we’re good
Maybe even just on the happy path
Usually (in my area) – little security or theater
Some good thinking suffered rot
Stop looking ….
We can’t stop looking
Policies
Laws – HIPAA, CMIA, FERPA
Contracts – PCI
Reputational risk
Start doing risk assessment and some review
Nothing prepared me continued
Understand the internal thinking – make it
work, but vendors …
Vendors
OK – they have to get security?
Some big names here …
They have CTOs and security folks
Risk is not here – or is it?
They are not just make it work thinkers …
Or are they …
VENDOR SECURITY
MANAGEMENT
No one can be that ludicrous? Can they? Why your vendors
should be keeping you up at night!
The stories are true and … These are vendors we depend on
Some of these vendors are good vendors
The point of this talk is not that they are bad
vendors – it’s that we have to manage them,
be firm and understand if we do nothing we
are in trouble
(Some) Vendors want to make it work …
May not even propose secure solution
Some vendors need to mature – UC needs to
get that message out
Get this out of the way …
Vendor: We need all ports open - bidirectional
UCR: That is not secure, you can’t need that …
Vendor: We have never been hacked
UCR: How do you know?
Vendor: What do you mean?
UCR: [silence]
UC IT Security officer, “ …
that’s the time when I
want to start running for
the door.”
Meanwhile back at the vendor …
First brand impressions?
Would you be worried just seeing these
names?
Would your staff?
Would your leadership?
What assumptions would be made?
Aurora - FoodPro In order for us to properly support UC Riverside while
protecting our intellectual property and processes, we
are requesting that UC Riverside allow us to connect to a
workstation via LogMeIn Web Service. The LogMeIn
Web Service supports screen black-out capabilities
which would allow us to provide support while
maintaining our intellectual property and processes.
If during a support session, we find that we must interact
with the data directly, we will invoke the option to
blank the end-user's screen to protect our intellectual
processes and property.
Aurora – Food Pro #2
Heartbleed
… several third party packages in FoodPro that
are potentially vulnerable to the Heartbleed bug.
FoodPro has several web-based applications …
Out of the box, none of these products are
implemented with SSL …customers should
review any custom changes they have made to
these products, specifically where SSL
connectivity may have been introduced.
Banner Ellucian - left the default manager credentials.
This led to a compromise and server rebuild
Compromise was detected early by UCR Sec Team!
Ellucian responses:
Common practice to use standard accounts and passwords
during the installation process!
… might have mitigated a complete server rebuild …
Banner Document Management
Recommended leaving Oracle write port open on an
open network – admitted was not secure … but still said
that was the solution – UCR had to identify alternatives
…
Blackboard - ecommerce
Coalfire – Security/PCI
Request #1 – blanket white list our IP
addresses and allow past your IPS
What prevents an attacker from spoofing that IP
to get in?
Request #2 – allow our IP addresses into
your private network and allow vulnerability
scans
You have to be joking? Would you not write that
up in a pen test?
Coalfire said …
… that we would perhaps require few of the
entities at UC Riverside to whitelist our
source IPs. These are specific to external
scans that we did recently. Our scanners were
not able to scan and report any live targets as
we believe the scan traffic was actively
blocked by IPS system. So to resolve this
issue, we would recommend to whitelist our
scanner IPs on your IPS (Intrusion Prevention
System) so we can scan your environment and
get accurate results.
Hirsh – Access Control Solution
VARs “heard make it work” … and …
Placed controllers on public networks
No vlans, no segmentation …
Turned off all encryption
Used default accounts and passwords
When asked about security (SSL, etc.) did not
even know.
Paraphrase - ‘Oh you want a secure solution
– well that’s a lot more work.’
Did not think that was important …
Honeywell – HVAC Management
Honeywell technician relayed the following: "The
installation process will create an account
“mngr” and the required Honeywell groups. The
mngr account must be the same user name and
password on the client machine and the mngr
account password cannot be changed.“
It’s hard coded in their applications!
Honeywell – rebuffed all attempts to provide port
and flow – will not support unless all ports and
all protocols are allowed bidirectional!
Micros – Point of Sale One Micros resource shared credentials
with another Micros resource who did not
have credentials. He stated that he knew it
went against PCI but that he thought it was
more important that the other resource was
able to get into the system to help us with an
issue.
Micros told us that shutting down unused
ports was extreme.
Micros sent us an email with all SFTP info in
the same email (server, login, password).
Micros – part 2
Default password
…found out about an [undisclosed up to this point
– 4 months in to the implementation] account that
POS registers use to communicate with its local
database. Server also has a similar account to
talk to its local database.
Micros uses a standard password for this
purpose. … understanding, this password is
the same for both the server and registers.
TMA – Maintenance Management
As part of a security review and risk
mitigation – UCR decided to separate DB to
its own server
Keeping with the general DMZ security pattern
App server out front
Database server behind
Narrow rules
Good pattern and practice
Sounds awesome – right?
TMA Deployment Diagram - DMZ
TMA - DMZ
Look at the holes in the firewall
Danger!
Changed back
Isolate
Illustrates!
Open ports:
6 specific
17K others!
UCR Responses Change vendor selection process
Risk Assessments
Plan mitigations
Network diagrams – ports and flows
Firewalls, Networking & Segmentation
Negotiation
Agreements
Tools
Account provisioning
Assume even smart vendors can ‘do
ludicrous’
Conclusions/Recommendations
Before vendor is selected
Deployment Model
Risk Assessment
Credential assessment, vulnerability assessment
Use RFP to break resistance
Reject vendors
Big/popular, smart, capable vendor
Does not mean good security or good practice
They want to make it work, make sale and may
not even care about security.
top related