Vendors and Security. Robert Smith Sr. Director Technology Student Affairs Technology Services

Transcription

1 Vendors and Security Robert Smith Sr. Director Technology Student Affairs Technology Services

2 The views expressed are my own. Opinions expressed are solely my own and do not express the views or opinions of UCR. Use at your own risk.

3 Technology Services (IT) Support all things Student Affairs Except SIS 40+ departments from Early Academic Outreach to Admissions to Financial Aid to SHS/CAPS to Dinning/Housing ~1,200 FTE ~22,000 Students 7x20x350 IT ~32 staff ~120 applications - ~60 CoTs, ~60 Custom

4 Nothing prepared me Internal culture if it worked we re good Maybe even just on the happy path Usually (in my area) little security or theater Some good thinking suffered rot Stop looking. We can t stop looking Policies Laws HIPAA, CMIA, FERPA Contracts PCI Reputational risk Start doing risk assessment and some review

5 Nothing prepared me continued Understand the internal thinking make it work, but vendors Vendors OK they have to get security? Some big names here They have CTOs and security folks Risk is not here or is it? They are not just make it work thinkers Or are they

6 No one can be that ludicrous? Can they? Why your vendors should be keeping you up at night! VENDOR SECURITY MANAGEMENT

7 The stories are true and These are vendors we depend on Some of these vendors are good vendors The point of this talk is not that they are bad vendors it s that we have to manage them, be firm and understand if we do nothing we are in trouble (Some) Vendors want to make it work May not even propose secure solution Some vendors need to mature UC needs to get that message out

8

9 Get this out of the way Vendor: We need all ports open - bidirectional UCR: That is not secure, you can t need that Vendor: We have never been hacked UCR: How do you know? Vendor: What do you mean? UCR: [silence] UC IT Security officer, that s the time when I want to start running for the door.

10 Meanwhile back at the vendor

11

12 First brand impressions? Would you be worried just seeing these names? Would your staff? Would your leadership? What assumptions would be made?

13

14 Aurora - FoodPro In order for us to properly support UC Riverside while protecting our intellectual property and processes, we are requesting that UC Riverside allow us to connect to a workstation via LogMeIn Web Service. The LogMeIn Web Service supports screen black-out capabilities which would allow us to provide support while maintaining our intellectual property and processes. If during a support session, we find that we must interact with the data directly, we will invoke the option to blank the end-user's screen to protect our intellectual processes and property.

15 Aurora Food Pro #2 Heartbleed several third party packages in FoodPro that are potentially vulnerable to the Heartbleed bug. FoodPro has several web-based applications Out of the box, none of these products are implemented with SSL customers should review any custom changes they have made to these products, specifically where SSL connectivity may have been introduced.

16 Banner Ellucian - left the default manager credentials. This led to a compromise and server rebuild Compromise was detected early by UCR Sec Team! Ellucian responses: Common practice to use standard accounts and passwords during the installation process! might have mitigated a complete server rebuild Banner Document Management Recommended leaving Oracle write port open on an open network admitted was not secure but still said that was the solution UCR had to identify alternatives

17 Blackboard - ecommerce

18 Coalfire Security/PCI Request #1 blanket white list our IP addresses and allow past your IPS What prevents an attacker from spoofing that IP to get in? Request #2 allow our IP addresses into your private network and allow vulnerability scans You have to be joking? Would you not write that up in a pen test?

19 Coalfire said that we would perhaps require few of the entities at UC Riverside to whitelist our source IPs. These are specific to external scans that we did recently. Our scanners were not able to scan and report any live targets as we believe the scan traffic was actively blocked by IPS system. So to resolve this issue, we would recommend to whitelist our scanner IPs on your IPS (Intrusion Prevention System) so we can scan your environment and get accurate results.

20 Hirsh Access Control Solution VARs heard make it work and Placed controllers on public networks No vlans, no segmentation Turned off all encryption Used default accounts and passwords When asked about security (SSL, etc.) did not even know. Paraphrase - Oh you want a secure solution well that s a lot more work. Did not think that was important

21 Honeywell HVAC Management Honeywell technician relayed the following: "The installation process will create an account mngr and the required Honeywell groups. The mngr account must be the same user name and password on the client machine and the mngr account password cannot be changed. It s hard coded in their applications! Honeywell rebuffed all attempts to provide port and flow will not support unless all ports and all protocols are allowed bidirectional!

22 Micros Point of Sale One Micros resource shared credentials with another Micros resource who did not have credentials. He stated that he knew it went against PCI but that he thought it was more important that the other resource was able to get into the system to help us with an issue. Micros told us that shutting down unused ports was extreme. Micros sent us an with all SFTP info in the same (server, login, password).

23 Micros part 2 Default password found out about an [undisclosed up to this point 4 months in to the implementation] account that POS registers use to communicate with its local database. Server also has a similar account to talk to its local database. Micros uses a standard password for this purpose. understanding, this password is the same for both the server and registers.

24 TMA Maintenance Management As part of a security review and risk mitigation UCR decided to separate DB to its own server Keeping with the general DMZ security pattern App server out front Database server behind Narrow rules Good pattern and practice Sounds awesome right?

25 TMA Deployment Diagram - DMZ

26 TMA - DMZ Look at the holes in the firewall Danger! Changed back Isolate Illustrates! Open ports: 6 specific 17K others!

27

28 UCR Responses Change vendor selection process Risk Assessments Plan mitigations Network diagrams ports and flows Firewalls, Networking & Segmentation Negotiation Agreements Tools Account provisioning Assume even smart vendors can do ludicrous

29 Conclusions/Recommendations Before vendor is selected Deployment Model Risk Assessment Credential assessment, vulnerability assessment Use RFP to break resistance Reject vendors Big/popular, smart, capable vendor Does not mean good security or good practice They want to make it work, make sale and may not even care about security.

30 Robert Smith THANK YOU!