Re: Software vendor clueless
From: H Carvey (keydet89_at_yahoo.com)
Date: 08/17/03
- Previous message: Harlan Carvey: "Re: Software vendor clueless"
- Maybe in reply to: Jeff Peterson: "Software vendor clueless"
- Next in thread: Rainer Duffner: "Re: Software vendor clueless"
- Reply: Rainer Duffner: "Re: Software vendor clueless"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 17 Aug 2003 17:06:04 -0000 To: incidents@securityfocus.com('binary' encoding is not supported, stored as-is) In-Reply-To: <GFEFLNCAJHGGEBHHGMIBAEPDCAAA.kirt@futamatagawa.net>
>Explain:
>1) That the clients setup is very insecure for the
following reasons
> a) The admin password is too short
> b) The admin password does not contain special characters
> c) The admin password should be changed regularly
>
I fully agree with these recommendations, but they
should also be considered in the context of the
infrastructure. You must be prepared to answer the
customer's questions regarding firewalls blocking
ports, etc.
>2) The current information security environment.
VIGILANCE IS NO LONGER AN OPTION.
>
>3) Explain that the system involved is a client of
both. Then explain that
>the client's information security/safety should come
first.
>
>4) Recap on #1. Highlight on #2 and repeat #3 until
you make your point and
>can move on.
>
>5) Candidly explain to the vendor that if a serious
> security incident should occur, and the weak
> password was the root cause, that the vendor could be
> held legally liable.
While this is a valid concern, some research should be
done regarding the firewall settings. If the firewall
blocks ports 139 and 445, then someone accessing the
system may not be the most immediate concern. Also,
investigation into the firewall rulesets should be done
to ensure that the pcAnywhere connections are
restricted to both source and destination IP addresses.
>6) Explain to the customer that if privacy and
financial information should
>leak, the client could be held legally liable.
>
>7) Explain to both that a security 'incident' has
already occured. Repeat #5
>and #6 until you have made your point.
Back the turnip truck up one second! What incident has
occurred? If you're referring to the Exchange server
set to being an open relay...what evidence do you have
regarding this? Yes, there is significant risk
associated w/ open relays, particularly if they're used
to rely porno and/or spam. But what evidence is there
to show that this change in the system is the result of
an incident? Unless, of course, you're saying that
someone accidently or unknowingly enabled relaying is
the incident.
>8) Then close the meeting with a remediation timeline.
(This is the goal of the meeting!)
It's always a good plan for a security professional to
present options and a plan for resolution, rather than
just problems. Take your customer solutions, not problems.
Harlan
---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
- Automatically Control P2P, IM and Spam Traffic
- Ensure Reliable Performance of Mission Critical Applications
- Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at:
http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
----------------------------------------------------------------------------
- Previous message: Harlan Carvey: "Re: Software vendor clueless"
- Maybe in reply to: Jeff Peterson: "Software vendor clueless"
- Next in thread: Rainer Duffner: "Re: Software vendor clueless"
- Reply: Rainer Duffner: "Re: Software vendor clueless"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
