Knowing my line of work, a friend recently asked me if the stories he’d read about foreign nations being able to penetrate our government and our public utilities’ networks were real.
“Yes,” I told him, “but the article you read probably only gave you part of the story.”
“Part of the story?” he sounded worried.
“Exactly. The rest of the story is that foreign-made security appliances are widely deployed on the networks of our country’s most sensitive government agencies and public utilities. And these appliances come pre-installed with default passwords – hidden backdoors that create all sorts of security holes.”
That’s right, security appliances – firewalls, intrusion detection, UTMs and the like – have some little known security issues that create some very large vulnerabilities.
The Promise of Security Appliances
I don’t mean to suggest that appliances have no place in the enterprise, of course. They bring benefits that make it much easier for IT staff to manage the network.
Appliances come self-contained and preconfigured, helping you eliminate setup time and more quickly deploy essential security measures in your IT infrastructure. Even better, all the components of security appliances are already licensed and paid-for when you receive them, meaning less paperwork hassles. Essentially this all means that there’s only “one throat to choke” as we say, and no finger pointing if any problems do arise.
However, despite these advantages – and with rare exception – your “appliance” is primarily a collection of off-the-shelf software components that are available to – and exploitable by – anyone. It’s rare for an appliance vendor to document every off-the-shelf component – and every potential security hole – present on their equipment. We call this “security by obscurity,” which means that if there are no documented standards, there is no security.
Think about this. Your new security appliance comes delivered to you from the vendor, already configured and ready to drop into your network. It may be from a vendor you’ve worked with in the past and trust, or it may be from the lowest cost supplier. Either way, the appliance consists of software components that you didn’t fully configure or secure yourself.
So where are the backdoors? There aren’t any, you may assume. But consider the point I raised above about default passwords. Where are the default passwords in your security appliances? I promise you, they’re present.
Break it down further and ask yourself, how current (and secure) is each software component on the appliance? Think about not only the operating system, but also the database, application environments, file system, and whatever else might be on the device.
Next, consider that the vast majority of appliance vendors have historically gotten by without revealing known security holes – and ensuring their customers get all the required fixes – far longer than, say, HP or Oracle. As a result you might not even realize that an appliance has hidden vulnerabilities until it’s too late and your company becomes the latest data breach news story.
Because your security appliances are almost certainly built from off-the-shelf components – and because in the background each of these components probably uses default application and service credentials that are the same on your network as on everyone else’s – you’re almost certainly running afoul of good security practices whether you know it or not.
Here’s why all this matters, and the real point of that conversation my friend at the start of the article. Who knows about these default passwords? Who can access them? And, what information can they take once they do have access?
And, if you’re not comfortable with widely-known, highly privileged logins lurking on your network, are you capable of changing those default passwords? If you don’t, who will?
This may all seem like nothing more than scaremongering to you. If so, I’d encourage you to look at the websites of the more highly-visible, publicly-traded appliance vendors –and look at their security advisories and published facts about remediation.
Best Practices for Security Appliance Customers
The good news is that this is not a hopeless situation. Far from it, in fact. So my friend who brought up this issue can rest easy. You just need to do a few things to find – and fix – any security holes in your security appliances.
First of all, insist on full documentation of your appliance, including all software components, version numbers, and default passwords. Second, make sure there’s an upgrade path for scalability. As your network expands to take in more users and systems, your appliance won’t do you much good if the device can’t scale along with you. Third, never disclose your purchase of a security appliance outside of your organization. Insist on an NDA. Don’t make it easier for the bad guys by revealing to them exactly which appliances you have in place.
And finally, invest in an enterprise-level privileged identity management product that can automatically find every privileged account on your network (including accounts present in your security appliances), generate unique and complex passwords for all these accounts, change the credentials frequently, and audit who is using them, when and for what purpose.
Remember, appliance vendors are targets for hackers – because their customers are.
What do you think? Leave your comments below.