Vendors and

Security

Robert Smith

Sr. Director Technology

Student Affairs

Technology Services

The views expressed are my own.

Opinions expressed are solely my own and do not express the

views or opinions of UCR. Use at your own risk.

Technology Services (IT)

Support all things Student Affairs

Except SIS

40+ departments – from Early Academic

Outreach to Admissions to Financial Aid to

SHS/CAPS to Dinning/Housing

~1,200 FTE

~22,000 Students

7x20x350

IT ~32 staff

~120 applications - ~60 CoTs, ~60 Custom

Nothing prepared me Internal culture – if it worked – we’re good

Maybe even just on the happy path

Usually (in my area) – little security or theater

Some good thinking suffered rot

Stop looking ….

We can’t stop looking

Policies

Laws – HIPAA, CMIA, FERPA

Contracts – PCI

Reputational risk

Start doing risk assessment and some review

Nothing prepared me continued

Understand the internal thinking – make it

work, but vendors …

Vendors

OK – they have to get security?

Some big names here …

They have CTOs and security folks

Risk is not here – or is it?

They are not just make it work thinkers …

Or are they …

VENDOR SECURITY

MANAGEMENT

No one can be that ludicrous? Can they? Why your vendors

should be keeping you up at night!

The stories are true and … These are vendors we depend on

Some of these vendors are good vendors

The point of this talk is not that they are bad

vendors – it’s that we have to manage them,

be firm and understand if we do nothing we

are in trouble

(Some) Vendors want to make it work …

May not even propose secure solution

Some vendors need to mature – UC needs to

get that message out

Get this out of the way …

Vendor: We need all ports open - bidirectional

UCR: That is not secure, you can’t need that …

Vendor: We have never been hacked

UCR: How do you know?

Vendor: What do you mean?

UCR: [silence]

UC IT Security officer, “ …

that’s the time when I

want to start running for

the door.”

Meanwhile back at the vendor …

First brand impressions?

Would you be worried just seeing these

names?

Would your staff?

Would your leadership?

What assumptions would be made?

Aurora - FoodPro In order for us to properly support UC Riverside while

protecting our intellectual property and processes, we

are requesting that UC Riverside allow us to connect to a

workstation via LogMeIn Web Service. The LogMeIn

Web Service supports screen black-out capabilities

which would allow us to provide support while

maintaining our intellectual property and processes.

If during a support session, we find that we must interact

with the data directly, we will invoke the option to

blank the end-user's screen to protect our intellectual

processes and property.

Aurora – Food Pro #2

Heartbleed

… several third party packages in FoodPro that

are potentially vulnerable to the Heartbleed bug.

FoodPro has several web-based applications …

Out of the box, none of these products are

implemented with SSL …customers should

review any custom changes they have made to

these products, specifically where SSL

connectivity may have been introduced.

Banner Ellucian - left the default manager credentials.

This led to a compromise and server rebuild

Compromise was detected early by UCR Sec Team!

Ellucian responses:

Common practice to use standard accounts and passwords

during the installation process!

… might have mitigated a complete server rebuild …

Banner Document Management

Recommended leaving Oracle write port open on an

open network – admitted was not secure … but still said

that was the solution – UCR had to identify alternatives

…

Blackboard - ecommerce

Coalfire – Security/PCI

Request #1 – blanket white list our IP

addresses and allow past your IPS

What prevents an attacker from spoofing that IP

to get in?

Request #2 – allow our IP addresses into

your private network and allow vulnerability

scans

You have to be joking? Would you not write that

up in a pen test?

Coalfire said …

… that we would perhaps require few of the

entities at UC Riverside to whitelist our

source IPs. These are specific to external

scans that we did recently. Our scanners were

not able to scan and report any live targets as

we believe the scan traffic was actively

blocked by IPS system. So to resolve this

issue, we would recommend to whitelist our

scanner IPs on your IPS (Intrusion Prevention

System) so we can scan your environment and

get accurate results.

Hirsh – Access Control Solution

VARs “heard make it work” … and …

Placed controllers on public networks

No vlans, no segmentation …

Turned off all encryption

Used default accounts and passwords

When asked about security (SSL, etc.) did not

even know.

Paraphrase - ‘Oh you want a secure solution

– well that’s a lot more work.’

Did not think that was important …

Honeywell – HVAC Management

Honeywell technician relayed the following: "The

installation process will create an account

“mngr” and the required Honeywell groups. The

mngr account must be the same user name and

password on the client machine and the mngr

account password cannot be changed.“

It’s hard coded in their applications!

Honeywell – rebuffed all attempts to provide port

and flow – will not support unless all ports and

all protocols are allowed bidirectional!

Micros – Point of Sale One Micros resource shared credentials

with another Micros resource who did not

have credentials. He stated that he knew it

went against PCI but that he thought it was

more important that the other resource was

able to get into the system to help us with an

issue.

Micros told us that shutting down unused

ports was extreme.

Micros sent us an email with all SFTP info in

the same email (server, login, password).

Micros – part 2

Default password

…found out about an [undisclosed up to this point

– 4 months in to the implementation] account that

POS registers use to communicate with its local

database. Server also has a similar account to

talk to its local database.

Micros uses a standard password for this

purpose. … understanding, this password is

the same for both the server and registers.

TMA – Maintenance Management

As part of a security review and risk

mitigation – UCR decided to separate DB to

its own server

Keeping with the general DMZ security pattern

App server out front

Database server behind

Narrow rules

Good pattern and practice

Sounds awesome – right?

TMA Deployment Diagram - DMZ

TMA - DMZ

Look at the holes in the firewall

Danger!

Changed back

Isolate

Illustrates!

Open ports:

6 specific

17K others!

UCR Responses Change vendor selection process

Risk Assessments

Plan mitigations

Network diagrams – ports and flows

Firewalls, Networking & Segmentation

Negotiation

Agreements

Tools

Account provisioning

Assume even smart vendors can ‘do

ludicrous’

Conclusions/Recommendations

Before vendor is selected

Deployment Model

Risk Assessment

Credential assessment, vulnerability assessment

Use RFP to break resistance

Reject vendors

Big/popular, smart, capable vendor

Does not mean good security or good practice

They want to make it work, make sale and may

not even care about security.

THANK YOU!

Robert Smith

robert.smith2@ucr.edu