Henry is a security engineering consultant by day and a black hat hacker by night. He's found his day job and his avocation support each other rather well. What happened today is a good example.
One of his customers realized that, based on the current legal climate, they couldn't continue to ignore the need for an e-discovery solution. So as part of their search for the right vendor, they invited Henry to the final technical meeting, via conference call, with one of the two vendors undergoing final review.
The solution consists of an appliance which is rolled into the datacenter, already racked, and plugged into power and the network. Being an appliance, it is fully managed by the vendor. Once connected, the appliance scans all unstructured data (Office files, text files, PDFs, .PST files, Exchange stores, SharePoint, etc.), indexes them, and places the indexed data in its internal storage. To deal with challenges which prevent network access to the box, a modem is included in the rack for out-of-band access. This information caused Henry to rouse from his state of half-conciousness.
"What does the modem connect to?," Henry asked.
"To a console port."
Interesting, thought Henry. "How is the port protected from unauthorized calls?"
"Well," came a voice from the conference phone, "We assign a user ID and password. The defaults are ADMIN and ADMIN, respectively."
"Since you configure and manage the appliance, do you change the password during implementation?"
"Not usually," replied the voice. "Our support engineers prefer to use a single, easy password for all customers."
A smile crept across Henry's face. He brought up a hand to hide the inappropriate look of satisfaction from his clients. "So most of your customers use ADMIN as the console password, and the console is typically accessible for anytime dial-in?"
"That's right. But if a customer insists, we will change the password or disconnect the modem until it is needed. That doesn't happen very often, though."
Henry turned to his clients. "You will want to change that password." He had to at least look like this bothered him. "You should also ask for a list of customers who use this product so we can get an idea of what types of businesses are using the solution." Henry sat back in his chair, silent for the rest of the meeting. He was busy thinking about how he could use the list and the default password issue to obtain information valuable to one or more buyers of information he obtained during his evening activities.
No diligent security professional would ever accept a default password as part of a new system setup. But do we all check vendor-managed systems? Do we rely too much on vendor diligence instead of assessing their implementation processes?
The answer for many organizations--if we believe this vendor--is no for both questions. Even managed systems must be assessed to ensure they comply with the organization's internal policies. This applies to all vendor relationships in which critical systems or sensitve data protection are the day-to-day responsibility of the vendor. Of course, this extends to cloud computing.
For more information about vendor due diligence, see A model for vendor due diligence.