Great suggesitons, Additionally if the site has a security policy/standards that require "strong" passwords, or mandate password rotation that may help as well. Of course the standards/policies have to exist and be endorsed properly. It is also a good requirement to include in contracts that the vendor will adhere to all security policies and standards (I understand in this case you are inheriting this situation). Regards, ->Pierre Cadieux, CISSP At 05:00 PM 8/16/2003 -0700, Jeff Peterson wrote: >Thank you, Kirt. Very clear. I will take your advice. > >-----Original Message----- >From: Kirt Cathey [mailto:kirtat_private] >Sent: Saturday, August 16, 2003 2:26 PM >To: Jeff Peterson; incidentsat_private >Subject: RE: Software vendor clueless > > >Been there. > >Here is the approach.... > >Be open, candid, and absolutely non-confrontational (the last one is hard >when you know the security issues are sometimes grave). >Also, try to have the client present when you explain these items. > >Explain: >1) That the clients setup is very insecure for the following reasons > a) The admin password is too short > b) The admin password does not contain special characters > c) The admin password should be changed regularly > >2) The current information security environment. VIGILANCE IS NO LONGER AN >OPTION. > >3) Explain that the system involved is a client of both. Then explain that >the client's information > security/safety should come first. > >4) Recap on #1. Highlight on #2 and repeat #3 until you make your point and >can move on. > >5) Candidly explain to the vendor that if a serious security incident should >occur, and the weak > password was the root cause, that the vendor could be held legally >liable. > >6) Explain to the customer that if privacy and financial information should >leak, the client could > be held legally liable. > >7) Explain to both that a security 'incident' has already occured. Repeat #5 >and #6 until you have made your point. > >8) Then close the meeting with a remediation timeline. (This is the goal of >the meeting!) > > >Good Luck! > >/*************************************** >Kirt S. Cathey, CIA, CISA, CISSP, MCSE >PricewaterhouseCoopers - Tokyo, Japan >Intrusion Detection, Forensics, and Audit >080-3388-6798 >www.systemsrisk.com >PGP: http://www.systemsrisk.com/pgp.txt >***************************************/ > > >-----Original Message----- >From: Jeff Peterson [mailto:jpetersonat_private] >Sent: Sunday, August 17, 2003 4:32 AM >To: incidentsat_private >Subject: Software vendor clueless > > > > >All, > >I have a customer whose company does legal work for lots of businesses. >The data housed on their network is what I would call 'financially >sensitive'. Recently, I found their Exchange server had been turned into >an open relay. It was not that way a month ago.Once I stopped the >bleeding, I told them I wanted to change the Administrator password, >(NT4.0, Exch5.5. I know, I know). They told me they were not allowed to >change the password. "Sez WHO", I asked. "Our software vendor", they >replied. Turns out the vendor in question has a niche market in this >kind of legal field. Also turns out they use the same 4-letter, (no >caps, no special chars), administrator password on ALL their customers >networks. To make matters worse, they have PCAnyWhere ports open on all >these networks, because their software is so buggy, the developers need >to remote in and fix things all the time. The spokesman for the group >claims that the AT&T managed firewall prevents anyone else from using the >PCNoWhere ports by IP address. > >I'm not a great negotiator, and I'm going to face the SW spokesman next >week. He is a good spin doctor. I'm looking for help in making him >secure his stuff. All help is appreciated. > >Jeff Peterson >BTIIS > >--------------------------------------------------------------------------- >Captus Networks - Integrated Intrusion Prevention and Traffic Shaping > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans > - Automatically Control P2P, IM and Spam Traffic > - Ensure Reliable Performance of Mission Critical Applications > - Precisely Define and Implement Network Security and Performance Policies >**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo >Visit us at: >http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 >---------------------------------------------------------------------------- > >--------------------------------------------------------------------------- >Captus Networks - Integrated Intrusion Prevention and Traffic Shaping > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans > - Automatically Control P2P, IM and Spam Traffic > - Ensure Reliable Performance of Mission Critical Applications > - Precisely Define and Implement Network Security and Performance Policies >**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo >Visit us at: >http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 >---------------------------------------------------------------------------- --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Aug 18 2003 - 12:03:13 PDT