Back to Insights
Beaver: Taking Responsibility for Vendor Product Security
March 20, 2017 | Vendor and Partner Management
By Kevin Beaver, IANS Faculty
When I perform independent information-security assessments, I often assess the security of product vendors' systems and software. Some of these products are related to IT and security, while others fall into the Internet-of-Things (IoT) category. Sometimes it's the vendor looking for an independent review and other times it’s the end user.
Regardless, the overall goals are always the same: to determine how resilient the system or software is to security attacks, how it meets commonly expected security practices, and how it processes, stores and otherwise handles sensitive information.
When I'm seeking out security flaws in these products – be it web browser plug-ins, mobile app environments or network-connected hardware devices – the outcomes are predictable. If the system has an IP address, a URL or a mere software surface that can be interacted with, anything is fair game for attack and exploit. All that is typically required is a web browser, command prompt and network analyzer combined with a malicious mindset and knowledge of what to look for. Network and web vulnerability scanners often uncover even more issues. Some common flaws that I have found in these products include:
- Severely outdated operating system and application patches
- Users running with administrator or root privileges and no reasonable means of protecting against malware
- Documented and undocumented backdoor accounts – for some of which the credentials are a simple Google search away
- Ancillary services and features enabled by default, such as USB ports, as well as FTP and web interfaces that create unnecessary exposures
- Cross-site scripting and SQL injection flaws
- Sloppy storage of sensitive user and system configuration information
- Unencrypted network communications that expose login credentials and connection details of the endpoint systems involved
- Software installations that reconfigure system settings and create exposures for both endpoints and administrative systems
Every manufacturer out there has a gadget or application that can easily end up creating security risks in the enterprise. Be careful. Just because a vendor makes and sells these products, it doesn't mean they have security-savvy software developers or even someone validating that security is in check. Ironically, IT- and security-related products tend to be the worst offenders.
It’s clear to me that many product vendors are not thinking about how their systems can be attacked and what those exposures can lead to. I also think this underscores the criticality of IoT and product-centric security and how they impact both businesses and consumers alike.
Doing Our Part
Is more regulation needed? That's an entirely different discussion, but generally speaking, I don't think so because we've seen the comical outcomes of regulations such as HIPAA and the CAN-SPAM Act. If anything, regulating product security gives businesses and consumers something to fall back on when the products lead to security attacks.
In the same way we can't rely on the police to keep us safe all the time or doctors to ensure that we always take the proper steps to live long and healthy lives, we all have a responsibility to keep things safe and secure in the systems and software we use. Maybe that means holding these vendors more accountable when security flaws are found. Maybe it means adding your own compensating controls when using their products on your network. Or, perhaps it means letting the market work things out by looking elsewhere and not supporting vendors that have subpar security.
It's ultimately up to you. At the end of the day, you can't blame poor security and the subsequent incidents and breaches on someone else. Rather than more finger-pointing, regulation and red tape, let's have the discipline to do what's right and take the proper steps to reasonably lock things down – even if it's someone else's product.
If you suspect a third-party product is exposing your network or creating other unnecessary risks, don't be afraid to test the system yourself if it's in your own environment. Or, ask for (or hire someone to do) an independent assessment. Ask your vendors the tough questions about what they're doing to test and resolve the issues that are uncovered. Hold their feet to the fire. In the worst-case scenario, if an incident or breach does occur, you'll have a paper trail showing that you were taking reasonable steps and doing your own due diligence to keep things in check.
Kevin Beaver, CISSP is an independent information security consultant, writer, professional speaker, and expert witness with Atlanta, Georgia-based Principle Logic, LLC. Kevin has written/co-written 12 books on information security including the best-selling Hacking For Dummies (currently in its 5th edition).
Poll: What Are the Best Ways to Weed Out Insecure Products and Vendors During Procurement?
Poulin: The Economics of IoT Fear and Uncertainty
Create Optimal Contract Language to Enable App Security Assessments via the Cloud
Avoid the Pitfalls of Using FAIR for Risk Management