Re: They will protect me (won't they?)

["Adriel T. Desautels" <ad_lists () netragard com>]

Comments on comments on comments embedded below:
On Feb 10, 2009, at 10:02 PM, Dotzero wrote:

> comments on your comments embedded below:
>
> On Tue, Feb 10, 2009 at 9:21 PM, Adriel T. Desautels
> <ad_lists () netragard com> wrote:
> > Comments embedded below:
> >
> > On Feb 10, 2009, at 5:39 PM, Dotzero wrote:
> >
> > > On Mon, Feb 9, 2009 at 1:33 PM, Adriel T. Desautels
> > > <ad_lists () netragard com> wrote:
> > > > One of my recent thoughts and blog entries...
> > > >
> > > > So the other day I was talking with my buddy Kevin Finisterre.   
> > > > One of
> > > > the
> > > > things that we were discussing was people who just don't feel that
> > > > security
> > > > is an important aspect of their business because their customers  
> > > > don't
> > > > ask
> > > > for it.  That always makes my brain scream "WHAT!?". Here's a  
> > > > direct
> > > > quote
> > > > from a security technology vendor "We don't perform regular  
> > > > penetration
> > > > tests because our customers don't ask us to do that."
> > >
> > >
> > > If the customer doesn't contract with that vendor for that  
> > > particular
> > > service why would it be the vendors obligation. I use multiple  
> > > vendors
> > > in the security services area and some I find stronger in some
> > > services and others stronger in other services. Sometimes I split
> > > things up for other reasons. I don't want my auditor doing my
> > > pentests. I view a vendor doing both as a conflict of interest.
> >
> > I am not talking strictly about security service providers. I am  
> > talking
> > more along the lines of ISP's and other public service type  
> > companies. The
> > customers take the security of their providers for granted out of  
> > ignorance.
>
> Customers take all sorts of things for granted out of ignorance. For
> example, when you board a commercial airliner do you ask for proof
> that the plane has had all of the appropriate maintenance and service
> checks? Do you check that the person working at the restaurant or
> supermarket washed their hands after using the loo?

See with airplanes and restaurants there are inspections, there are  
rules and there are regulations. Those regulations get enforced by a  
set of people. In the IT world some businesses fall out of the scope  
of those regulations and as such they make no effort what so ever to  
protect their customers. Yet, out of ignorance their customers think  
that they are safe.  Dig deeply into our infrastructural businesses  
and you'll see that the mentality is similar.  There is a higher  
probability of those networks getting pwned as the threat attempting  
to pwn them is there.  There is a much lower probability of the  
airplane going down because there are rules and regulations in place.   
Did that make sense?

> > Thats not insulting, that is a fact. The providers then turn around  
> > and say
> > "we don't do it because our customers don't ask for it". That is  
> > the problem
> > that I am talking about. Its almost as if these businesses are  
> > banking on
> > their customer's ignorance.  I have ethical problems with that.
>
> Many of these businesses are almost as ignorant as their customers. I
> have a list of 25 questions with regard to PCI compliance that I
> provide to potential vendors. I provide the questions one hour before
> a 30 minute conference call with the technical person they designate.
> It is amazing the amount of ignorance I deal with on these sorts of
> calls. One vendor CTO called it the most thorough audit he had gone
> through. The scary thing is that a number of other companies allow
> that company to handle CCs on their behalf.

We see similar behavior all of the time. The trend seems to be that  
our customers are hungry for the truth about their security posture  
instead of just a check in the box.  The customers that are looking  
for the check in the box usually don't come to us because they quickly  
realize thats just not what we do.  We actually hack our customers,  
not just scan and say thank you.

> With reference to ISPs, the skill levels and capabilities are all over
> the place. Some of them can't even spell security. On the other hand,
> a lot of customers simply aren't interested. They intentionally don't
> want to know the risks because that justifies going with the lower
> cost vendor. In fact, wasn't this one of the issues you raised in one
> of your posts not too long ago?

It was similar to one of the issues that I raised, but not exact.  My  
thought when writing the above comment about ISP's was for the ones  
that are hosting banking systems.  We've done a number of penetration  
tests for banks and in the process received authorization to extend  
into the ISP hosting their portals.  To date, we've managed to  
penetrate every single one. That is a bit off topic though because  
those ISP's actually attempt to maintain a reasonable level of  
security in some cases.

As another slightly different example, we ran into a Vermont based  
company that makes a PHP based Content Management System.  We  
encountered them during a penetration test that we were doing for a  
bank that was using their technology.  During the test we found that  
their technology had no input validation, no parameterized stored  
procedures, etc. Obviously that lead to SQL Injection and boom, system  
penetration.

When we approached the company about the risks in their technology  
they said "it will take us too long and too much effort to fix the  
issues, plus our customers don't ask for it.". Their customers are  
mostly financial and medical...

> > > > Isn't it the service provider's/vendor's responsibility to properly
> > > > manage
> > > > and maintain the security of their infrastructure?  Don't they  
> > > > have an
> > > > ethical obligation to their customers to protect the service that  
> > > > they
> > > > are
> > > > offering and any information that the customers decide to store  
> > > > on their
> > > > systems?
> > >
> > > It depends on the agreement and in some circumstances it may  
> > > depend on
> > > regulatory or contractual compliance obligations that derive from  
> > > the
> > > contract.
> > >
> > >
> > > > The real question is, how many customers would they lose if the  
> > > > customers
> > > > heard them say that? That is after all just like saying "We don't  
> > > > care
> > > > about
> > > > security because our customers aren't asking us to care about it."
> > >
> > > Actually, they probably wouldn't lose many. It's not that the vendor
> > > doesn't care about security, it's that the scope of what they are
> > > providing is constrained by what the client/customer says they want.
> > > Flip it around.... how many vendors will walk away from a "bad"
> > > customer? .... particularly if that customer is a lucrative one?
> > >
> > > > So who have I heard this from? Here's the (very) short list:
> > > >     • Vendors that make security software (like email gateways,
> > > > anti-virus technology, Intrusion Prevention Systems, etc).
> > > >     • Vendors that make technology that is used to control our  
> > > > Nuclear
> > > > Power Plants, Water Purification Plants, Traffic        Control  
> > > > Systems,
> > > > etc.
> > > >     • Vendors that sell business enabling technologies like PHP  
> > > > based
> > > > Content Management Systems, Commercial Web Servers, Server based
> > > > applications, Web Applications, etc.
> > > >     • Vendors that sell desktop applications like Financial  
> > > > Tracking
> > > > Systems, Invoicing Systems, File Sharing Systems, Backup  
> > > > Solutions, etc.
> > > >     • I've also heard this from MAJOR Service Providers such as Web
> > > > Hosting Providers, Email Providers, Backup Service Providers, etc.
> > > >     • The list goes on....
> > > > I think that people need a wake up call.  This strikes me as a  
> > > > serious
> > > > ethical issue, what about you? Leave me a comment I'm very  
> > > > interested in
> > > > feedback on this one.
> > >
> > > I don't know that I would call it an ethical issue. It is  
> > > certainly an
> > > issue and a serious one. Unfortunately it will probably take a  
> > > serious
> > > incident for the wake up call you mention.
> >
> > This reminds me of the mentality that the Infrastructure guys have.  
> > Why does
> > it have to take a 911 to make people realize that they need better  
> > security
> > in the first place? Why can't people just wake up and prevent the  
> > 911.
>
> Human nature. There are a lot of "infrastructure guys" that do care
> and do act to protect the infrastructure they are responsible for. To
> recognize the nature of a problem does not mean one does not care. I
> think you are tarring with an overly broad brush.

Possibly, and I do agree that some of them do care. But what about the  
people making the technology that they rely on? Take our recent Citect- 
SCADA research into consideration:

http://www.netragard.com/pdfs/research/NETRAGARD-20081010-CITECT.txt



        Adriel T. Desautels
        ad_lists () netragard com
        --------------------------------------

        Subscribe to our blog
        http://snosoft.blogspot.com