If you take a look at some of the major breaches from 2014 and even the first half of 2015 you will see a startling pattern. Many of these breaches were the result of compromise in infrastructure systems that need to be connected to the internet (or that need a direct connection from outside). The target breach was due to having an HVAC system that was accessible to the outside world that could also talk to the payment system network. This still happens ALL THE TIME. I have been personally asked to put a panic and entry alarm system on an “admin” network AND allow external access to it by a vendor. I am not talking about ipsec VPN access: full open access to this from the internet and not even a small range of IPs, 0.0.0.0/0. The reason I was given was; (this will really get you) their technicians might need to connect to the system from anywhere. When I asked why they could not use a VPN they stated; we contract techs so we are not able to track them like that…
Things get worse though, imagine a company replacing a system that is physically controlled (in a locked room, with directly connected peripherals) with a cloud based system that has all IP connected devices. The reasoning was that it was supposed to be more secure to do things this way (there was no two factor authentication on their cloud service). This is the mentality that the security industry sees on a daily basis as everyone rushes to put everything in the cloud. There seems to be little to no thought on security when developing these systems or configurations. Now, you could argue that it is up to the organization that is using these systems to ensure they are installed correctly, but that is not 100% accurate as shown by the panic system I indicated above (there are more).
Far too many vendors are unwilling to work with internal teams to ensure their systems are installed securely. They push on the financial and business executives to get what they want. I have been in meetings where a vendor threatened to charge more because we required their system to be installed in a secured network that did not have access from the outside world. If you have been in security or IT I am sure you have been in similar meetings. Segmentation, access control and traffic control are all just words to them. They talk them up and even claim their systems support/require it, but when it comes to implementation you end finding that nothing works properly with a security layer in place. When that time comes, well they tell you “disable it for now” and that “now” turns into forever.
In a time when the bad guys are becoming more and more proficient at exploiting the failures in design and imagination of developers and system integrators we have to stop pushing for the quick and easy fix. Installation of a new system can no longer be an overnight thing. Proper planning, discussion and then implementation must happen to ensure that companies can protect their networks and their clients’ data (PCI, HIPAA or PII). If the pace of cloud and connected solutions continues so will the massive breaches. Ok soapbox put away….
Tell us your favorite vendor stories on our Facebook Page