RE: Vendor wants remote control of our Servers and Workstations

[John Brightwell <brightwell_151 () yahoo co uk>]

Of course the age-old problem with security is that
the access restriction can impact on usability or
support.

If you go ahead with the proposed solution then the
Vendor has significant access to your internal
network.
How much do you trust the vendor?
Are they liable for any damage they cause while
connected?
Is their network secure? (after all, they are setting
up VPNs to various customers ... do they have their
firewall rules setup correctly. Are they physically
secure)
How do they manage the access control of the remote
control app- I'm guessing it's passsword based (do
they take due care in enforcing/protecting/changing
the passwords)
Could one of their contracted cleaners/caretakers sit
at an engineers PC at night and logon using the
password scribbled down on a postit note.
What about disaffected vendor employees? 
Virus/Worm propagation (you're bypassing your
perimeter security and any first level filtering that
would normally take place)
Their security posture should be at least as secure as
your own.

What do you have to lose?
If someone has access to your internal network what
can they achieve? (commercial secrets, financial
reward, damage to your systems or a third party)

Personally I think allowing this level of access to an
internal system is a big risk. Bear in mind that if
this vendor uses the same method to support a number
of customers the vendor may be a choice subject to
attack (someone may break into their network to gain
access to a targetted customer network). So, even if
your company isn't a premium target you may still get
hit.

I'd find out how often they need to provide this
service (no wild claims ... facts and figures stating
what support calls they've dealt with in the past and
how this would have been improved by the remote
control solution)
Get hold of a couple of reference sites to whom the
Vendor provides this service and speak to your
counterpart there (of course, they may not be keen to
talk about such a hole in their security).
Can the machines to which the vendor needs access be
isolated in a separate DMZ
How can the service be audited (otherwise they can't
be held accountable for anything that goes wrong)
What if an engineer who's having a bad day
accidentally logs onto your site instead of another
customer and makes significant changes ... if they
know there's no auditing, what are the chances that
they'll draw their mistake to your attention.

Turn the heat back onto the people who are pressing
you for a decision - get them to come back with more
detail. 
What are the real benefits? (actual time and money
saved)
What other options are available?
Can the systems be isolated and closely monitored? (at
what cost)
Can the firewall rules be added only for the period of
the support call? (may be possible if the requirement
is infrequent and can be scheduled)

If you have any regulators or other bodies who may be
concerned at such a security hole (such as an
insurer)? Find out what their recommendation is...

Ultimately you are an agent of the business, and if it
makes sound business sense to provide this service
then you need to work out how to manage the risk (as
long as the business is aware of the issues). This may
involve policy around how the service can be used,
contractual agreements with the vendor on how they
manage the security of the service (maybe even
insurance to cover any potential damage) as well as
technical measures to limit the scope of any attack
coming via this route (extra firewalling, IDS, log
monitoring)

If the software is falling over so often that the
vendor needs a permanent connection to keep on fixing
the problems then maybe a different product should be
used (do you really want them to be able to connect to
production servers ... possibly without your
knowledge). Similarly for the training issue. They are
both nice features but the business should look at how
much time (and money) is saved and compare that with
the risk. 
In practise most support calls can be managed over the
phone (with the customer developing a better
understanding of the product through acting as the
driver of the keyboard during the troubleshooting) and
for the odd call that is more complex a site visit can
be arranged (which is intuituively handled more
securely by the staff than remote control which may be
completely transparent to the customer)

The 'Desktop Streaming' support concept from
expresscity is an interesting idea ... this still
represents a security risk but not quite as wide open
(particularly if the service can be invoked so that
the engineer has read-only access ... I don't know if
this is possible)

I'll be interested to hear other people's comments ...
more and more vendors are proposing this sort of
support access (they save a lot of time in dealing
with problems because they don't have to interact with
the customer - I'd say that they can also 'relax' the
quality requirements in recruiting engineers because
their deficiancy is less obvious to the customer when
there's little interaction). 

I guess the benefit for the customer is similar. They
can lose the technical support person and leave it to
the vendor to directly support the product.

I used to be a techie, and I found that the quality of
support engineers to be found at vendors was extremely
variable. If I was still a sys admin I wouldn't want a
vendor engineer doing anything directly (and
transparently) to my system without me having had a
long term support relationship with them (even then I
don't like the transparency of the service). 
Even if they know their own product inside out they
could potentially impact on other services running on
the device.  

-----Original Message-----
From: tony tony [mailto:tonytorri () yahoo com]
Sent: 06 March 2003 03:17
To: security-basics () securityfocus com
Subject: Vendor wants remote control of our Servers
and Workstations


Folks

We have an outside vendor (StellarRAD) that wants to
come into our network (via
VPN) and use pcAnywhere to maintain his software on 5
production servers. 
Vendor wants to also use a product like Blue Ocean to
remotely control our
workstations to help users with software problems (ie
software is complex)or
for trouble shooting.  Blue Ocean software allows
bi-directional file transfers
and chat between the vendor and work stations. 

I approve all tickets for firewall changes.  I told
our firewall and network
people that this ticket just does not *smell right*
and I will conduct some
research on the security issues.  As always, the
vendor/network/firewall people
are putting the heat on to me to approve the ticket
ASAP. 

In your opinion what are all the security issues? 
What should I recommend as a
more secure way for 1) the vendor to access the
StellarRAD production servers
remotely and 2) help our users?  

=====
Tony Torri CISSP, CISA, CDP, CIA
Senior IS Security & Risk Manager
360.906.7893 (Work)
Northern Telecom LLP


__________________________________________________
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com