Pub. 10 2015-2016 Issue 5

www.nebankers.org 22 Extraordinary Service for Extraordinary Members. How Not to Buy Insecure Software Ty Purcell, CoNetrix TECH TALK M A N Y O F O U R V E N D O R relationships have the power to help or hurt our overall information securi- ty level. The request for proposal (RFP) for software vendorsmust go beyond the typical due diligence questions in order to maintain or increase your informa- tion security level. Technical questions must be asked and it may be necessary to have the questions forwarded to the vendor’s technical support or develop- ment staff. Asking a software vendor the follow- ing questions and getting appropriate answers helps ensure you are buying secure software and also reveals the maturity level of the vendor. 1. Does your software or any piece of your software require a user to be an “administra- tor” on their workstation? Since users who are logged into their workstations with adminis- trative levels of access are a high security risk, a vendor response of “yes” to this question should raise a red flag. 2. Can all operating systems and third-party software patches be installed on systems as soon as they are released by manufacturers? The ability to quickly patch systems is a key control in preventing compromise. If a vendor indicates “no” to this question, dig deeper and find out what software can’t be patched, why, and if there are compensating controls you can utilize. 3. Can all systems run antivirus software with scheduled and real-time scanning enabled? Inability to run antivirus on all systems raises a red flag. 4. Does your product require a dedicated connection such as a T1 or VPN? Can access to and from the connection be restricted? When you have a dedicated connection with a vendor, potential traffic—good or bad—can come into your network. The initial entry point resulting in the 2013 Target compromise was a vendor VPN connection. 1 It is necessary to restrict origination and destination of vendor network traffic. Additionally, it is necessary to restrict internal systems’ access to the vendor by allowing only necessary network protocols and ports. If a vendor indicates “no” to this question, ask for more in- formation. If the vendor continues to indicate no access restrictions, it is time to move to other vendors. 5. What accounts, such as ser- vice accounts or interactive accounts, are necessary for the software to function? Hav- ing a good inventory of accounts, including their owner and pur- pose, helps ensure vendor software is installed to specification and assists in future troubleshooting and documentation. 6. What privilege levels do these accounts need on the domain and on local systems? Vendor accounts should be assigned with standard “Domain User” privi- leges within the domain. Specific elevated privileges can be assigned as necessary on specific servers. Often vendors will request a “Do- main Administrator” account in order to install software. However, once installed with that level of privilege, it is frequently impos- sible to remove the administrative rights. The result is the vendor has access to your domain as an ad- ministrator. This should certainly raise a red flag. 7. Describe security measures and parameters for vendor accountsanddefault accounts in vendor-supplied software. Vendors may utilize pre-defined credentials within software or as part of the implementation process. The ability to specify and change strong passwords for ac- counts in the software is important for your network security. Find out whether password credentials are stored in clear text or encrypted within the software. 8. Is data transferred securely? Make sure software uses secure protocols for data transfer. If a vendor transfers with FTP, tell them “No thank you,” and ask if they support secure methods such as SFTP, HTTPS, or FTPS. 9. What methods are utilized to manage servers and soft- ware? Are these methods secure? Vendors often utilize web-based remote control soft- ware to provide support. Be sure any remote connections require the end user to initiate or ac- knowledge the connection, use encryption (HTTPS), and are only enabled for the duration of the support session.