Saturday, March 10, 2007

A scary story...

I don't have much time tonight, but I received an email yesterday that I just couldn't believe. The email was from a friend of mine who has a client that is a small technology company. This company recently decided to invest in a VOIP phone system. So they went out and looked for local providers of such systems, selected a vendor and conducted the implementation.

Pretty normal, right? People do this all the time, right? Well, when the vendor left, this company discovered that their brand new IPT server is actually sitting OUTSIDE the firewall! So they called up the vendor and asked, "Is this right?" And here are the responses they received from various vendor employees:

1) that's the way it works,

2) we have to be able to get to it to administer it,

3) malicious people are not likely to find it because there are so many systems out there on the internet

4) if someone trashes the application, it's easy for us to just install a new copy over the internet.

After the last argument, the client has just thrown up their hands. The vendor will neither correct the problem nor will they allow the system to be returned.

This blog is intended for small and medium business leaders, not IT folks. So let me explain why this is such an egregious problem (aside from the absolutely terrible customer service on the part of the vendor).

Whenever any device sits outside the firewall/permiter network defense, it's about as vulnerable to a security breach as if you were to leave a backpack overflowing with cash sitting in the middle of the softball fields in Central Park. In this case, by leaving their phone server vulnerable like this, hackers will likely find it inside of two weeks. Once they find it, any of the following is possible:

1) The server may be used to host pornography or illegal multimedia content

2) The server may be used to launch attacks against other networks

3) They may just put a listening device on the box and steal all ingoing and outgoing traffic from the server, looking to catch privacy or financial information that could be used for additional crimes.

4) The best case is probably that they crash the machine and leave this small business phoneless for at least a couple days.

This careless disregard for security by a vendor is rare but certainly not unheard of. So if you don't have a strong IT team that understands at least the basics about security, make absolutely certain that your vendor does. Ask the vendor which certifications their service staff maintain (specifically, make sure they have at least one CISSP). And above all, verify that everything they deploy is behind your firewall.

Have a good night!


No comments: