Yesterday, I wrote a quick diary about a potential security issue that some Tyler customers faced[1]. Some people reacted to my diary with interesting comments in our forums. Two of them were interesting and deserve some review. « Sometimes their techs will install the Bomgar jump client on your servers when they are troubleshooting issues. They don't remove it, it is left to the local entity to remove it or at least disable the service until it is needed again. » Or « A lot of vendors, especially in the local government sector expect customers to install these clients and leave them on. They are truly offended when you tell them no, same on the SCADA side of things. » When you are outsourcing some tasks to a third-party (read: an MSSP, an integrator, ...), it’s very important to keep an eye on what they do and how they do it. The installation of remote access tools (some of them are very close to a malicious backdoor) or specific accounts is a key point to allow them to perform their day-to-day job. But it does not mean that they can do whatever they want. When I read « it is left to the local entity to remove it or, at least, disable it », it means that a process must be implemented to follow this. The main risks are to detect an attacker using the third-party network to pivot into your organization or to detect their credentials used by attackers from unknown locations. That’s why Tyler asked its customers to reset all passwords related to their remote activities. Here are some tips to increase the operations security when working with third-parties.
Finally, don’t be afraid to say « No » and explain why you don’t agree with their requirements. They will work on YOUR platform which hosts YOUR data. You’ll be responsible in case of a data breach! This list is not exhaustive. If you've implemented other specific controls when working for third-party organizations, please share! [1] https://isc.sans.edu/diary/26610 Xavier Mertens (@xme) |
Xme 687 Posts ISC Handler Sep 29th 2020 |
Thread locked Subscribe |
Sep 29th 2020 1 year ago |
Sysmon & Auditd are your friends.
Periodic automated checksum of every small or vaguely code-like file, over the whole filesystem. Check everywhere for weirdness. Build a tight exclusion list if you need to. Likewise for automated Registry audits.... Determine what normal looks like, and baseline using it, then check the baseline makes sense! The first step to knowing what good looks like, is knowing what normal looks like. |
Anonymous |
Quote |
Sep 29th 2020 1 year ago |
Sign Up for Free or Log In to start participating in the conversation!