Re: [fw-wiz] Too Paranoid?

From: Dave Piscitello (dave@corecom.com)
Date: 09/29/02 

From: Dave Piscitello <dave@corecom.com>
To: James Triplett <james@thelix.net>
Date: Sun Sep 29 19:32:16 2002

Totally in agreement.

Any reputable vendor should appreciate this, and should be willing to explain
what security measures they have implemented to your satisfaction, or if
not to your satisfaction, willing to work to resolve differences between their
security posture and what your policy requires.

Beyond this, you should establish what liability the vendor is willing to
accept.
Your *ss is on the line, your company's integrity and future.

If there is a "they screw up, you lose" scenario", your service contract should
describe who is accountable for loss, down time, costs of cleanup, etc.

Moreover, if someone in your organization overrules you, you should put in
writing exactly what your concerns are and have it notarized (you can even
postal mail it to yourself, but don't open it).

 From a technical perspective, I'd insist on auditing this system, document
all the
security issues you feel don't meet your policy and standards. If you don't
know
Win2K, then insist that the vendor provide a 3rd party appraisal.

I've had experience with a SCO turnkey system for credit card database
access with a similar "phone home" requirement from the vendor. Default
install, no effort taken to remove unnecessary services, eliminate guest
accounts, etc.

You are not paranoid, you're doing your job.

At 12:36 PM 9/29/2002 -0400, you wrote:
>You are responsible for the security of your network. ANY vendor
>who wants to put equipment on that network, not matter how big
>and impressive (my bet here is we're talking about ADP)- must be
>willing to demonstrate to your satisfaction that their system is secure.

David M. Piscitello
Core Competence, Inc. &
3 Myrtle Bank Lane
Hilton Head, SC 29926
dave@corecom.com
843.689.5595
www.corecom.com

Relevant Pages

  • RE: SCADA Auditing Tools
    ... There is also very little support from the vendor, to say that "Hi, we know ... > write some tools based around the control network protocols, ... > SCADA system or the deal is off. ... > - the vendor shall supply patches to the client in regards to security ...
    (Pen-Test)
  • [NEWS] Wonderware SuiteLink Denial of Service Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... Vendor Information, Solutions and Workarounds ... Core sends the advisory draft to Wonderware support team. ...
    (Securiteam)
  • [Full-Disclosure] Security Industry Under Scrutiny: Part 3
    ... > varying degrees of 'faith' in the security industry. ... site admins and other whitehats. ... > architect would be notifying the software vendor alone... ... Full disclosure isn't so much a tool to get vunerability information ...
    (Full-Disclosure)
  • [NT] Internet Explorer Zone Elevation Restrictions Bypass and Security Zone Restrictions Bypass (MS0
    ... Get your security news from a reliable source. ... Internet Explorer Zone Elevation Restrictions Bypass and Security Zone ... Vendor Information, Solutions and Workarounds: ... Core sends an advisory ...
    (Securiteam)
  • RE: Vendor wants remote control of our Servers and Workstations
    ... Of course the age-old problem with security is that ... Vendor has significant access to your internal ... this vendor uses the same method to support a number ... customer and makes significant changes ... ...
    (Security-Basics)