Id suggest ensuring the vendor is willing to take full liability for all security incidents caused by any operational environments that the vendor "requires" for installation. Further that the vendor will indemnify the customer for any claims, infringements and incidents as a result of the "required" configuration. That should change their tune dramatically. Your customer should perform due diligence in reviewing software prior to installation, including the inclusion of a vendor questionnaire that asks these very important questions. You need to spell out each of the issues involved, your concerns with them, and the risks to the network, and data if those issues were to be abuse or compirmised. This should also include concerns of user accountability, not just unauthorized access by an outsider. You should ask the vendor to supply recommendations on how to correct and compensate for each of these. If all else fails, have your customer look into http://www.zerofunctionality.com. They cater to these types of customers who exercise high evaluation standards. ;) Regards, Dale Drew Director, Global Security Architecture & Engineering Level(3) Communications, LLC 720-888-2963 | dale.drewat_private -----Original Message----- From: Jeff Peterson [mailto:jpetersonat_private] Sent: Saturday, August 16, 2003 1:32 PM To: incidentsat_private Subject: Software vendor clueless All, I have a customer whose company does legal work for lots of businesses. The data housed on their network is what I would call 'financially sensitive'. Recently, I found their Exchange server had been turned into an open relay. It was not that way a month ago.Once I stopped the bleeding, I told them I wanted to change the Administrator password, (NT4.0, Exch5.5. I know, I know). They told me they were not allowed to change the password. "Sez WHO", I asked. "Our software vendor", they replied. Turns out the vendor in question has a niche market in this kind of legal field. Also turns out they use the same 4-letter, (no caps, no special chars), administrator password on ALL their customers networks. To make matters worse, they have PCAnyWhere ports open on all these networks, because their software is so buggy, the developers need to remote in and fix things all the time. The spokesman for the group claims that the AT&T managed firewall prevents anyone else from using the PCNoWhere ports by IP address. I'm not a great negotiator, and I'm going to face the SW spokesman next week. He is a good spin doctor. I'm looking for help in making him secure his stuff. All help is appreciated. Jeff Peterson BTIIS ------------------------------------------------------------------------ --- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Aug 18 2003 - 11:30:05 PDT