Been there. Here is the approach.... Be open, candid, and absolutely non-confrontational (the last one is hard when you know the security issues are sometimes grave). Also, try to have the client present when you explain these items. Explain: 1) That the clients setup is very insecure for the following reasons a) The admin password is too short b) The admin password does not contain special characters c) The admin password should be changed regularly 2) The current information security environment. VIGILANCE IS NO LONGER AN OPTION. 3) Explain that the system involved is a client of both. Then explain that the client's information security/safety should come first. 4) Recap on #1. Highlight on #2 and repeat #3 until you make your point and can move on. 5) Candidly explain to the vendor that if a serious security incident should occur, and the weak password was the root cause, that the vendor could be held legally liable. 6) Explain to the customer that if privacy and financial information should leak, the client could be held legally liable. 7) Explain to both that a security 'incident' has already occured. Repeat #5 and #6 until you have made your point. 8) Then close the meeting with a remediation timeline. (This is the goal of the meeting!) Good Luck! /*************************************** Kirt S. Cathey, CIA, CISA, CISSP, MCSE PricewaterhouseCoopers - Tokyo, Japan Intrusion Detection, Forensics, and Audit 080-3388-6798 www.systemsrisk.com PGP: http://www.systemsrisk.com/pgp.txt ***************************************/ -----Original Message----- From: Jeff Peterson [mailto:jpetersonat_private] Sent: Sunday, August 17, 2003 4:32 AM To: incidentsat_private Subject: Software vendor clueless All, I have a customer whose company does legal work for lots of businesses. The data housed on their network is what I would call 'financially sensitive'. Recently, I found their Exchange server had been turned into an open relay. It was not that way a month ago.Once I stopped the bleeding, I told them I wanted to change the Administrator password, (NT4.0, Exch5.5. I know, I know). They told me they were not allowed to change the password. "Sez WHO", I asked. "Our software vendor", they replied. Turns out the vendor in question has a niche market in this kind of legal field. Also turns out they use the same 4-letter, (no caps, no special chars), administrator password on ALL their customers networks. To make matters worse, they have PCAnyWhere ports open on all these networks, because their software is so buggy, the developers need to remote in and fix things all the time. The spokesman for the group claims that the AT&T managed firewall prevents anyone else from using the PCNoWhere ports by IP address. I'm not a great negotiator, and I'm going to face the SW spokesman next week. He is a good spin doctor. I'm looking for help in making him secure his stuff. All help is appreciated. Jeff Peterson BTIIS --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sun Aug 17 2003 - 09:54:48 PDT