Friday, July 6, 2007

Are the vendors clueless, or are we?

One of the companies I support recently leased several new multifunction fax machines. From a security perspective, the experience was astounding. The vendor seemed to have no clue about the insecurity of the devices or the implications to our network that such machines could have. The vendor also had no respect for the network. They were annoyed that they couldn't just plug into any open jack and get on the network- and their "network guy" didn't understand why anyone would want to control network access. When I clawed my way up the support ladder to someone with a bit of security awareness, I was assured that I could contract with their consulting division and they would secure the devices for a "reasonable" fee. Call me crazy, but I think it would be "reasonable" to ship the things secure in the first place.

OK, Jack , how bad were these things? These machines have 466MHz CPUs, 384MB of RAM, and 40GB hard drives. How's that for a potential attack platform distributed throughout your network? A simple Nessus scan not only reveals numerous significant vulnerabilities, it locks up the management interface on the devices and they need an extended power-off to recover full functionality. At first I was only frustrated with the vendor. We are paying them to compromise the security of our environment, and they will fix their own shortcomings if we pay them even more. How can they get away with this?

Then it dawned on me, they get away with it because we let them.