Backdoor entry
Hardware sold by the channel may well include backdoors or implants for government snooping. Should the channel worry?
Going in through the out door. It might be a Led Zeppelin euphemism but it could also evoke the debacle over the discovery of hardware backdoors in numerous leading vendors' products. Laypeople like to think their PCs and smartphones aren't phoning home all by themselves like ET, and they tend to think of the information they store as flowing mostly one way.
However, as the Edward Snowden revelations have steadily confirmed over the past year, government agencies, including the US' National Security Agency (NSA), have been collecting vast amounts of data on non-citizens worldwide for years, snooping via consumer connectivity and standard hardware.
Hardware and firmware often thought to be rather "dumb" can still be altered to enable such communication, and according to the Snowden documents, the NSA has been doing just that.
The resultant scandal has blown into global proportions. Should users be concerned? And what should the channel do to protect itself, and its customers?
Frank Jennings, cloud lawyer, member of the Cloud Industry Forum (CIF) governance board and partner at DMH Stallard (pictured, left), notes that the focus should go well beyond the NSA and the UK's GCHQ, whose activities pale in comparison to the rumoured surveillance practices of the French government, for example.
But, more importantly, the channel should treat this apparent further catastrophe for information security as a real opportunity, not a threat, he says. One of the primary windows of opportunity is for encryption, another is education of the market, and the potential for services such as audits and risk assessment is yet another.
When it comes to liability for leaks or exposure, unless the channel partner has been telling customers they will be 100 per cent secure, the data protection exemptions made for situations of national security should protect them.
"If you look at the deferred Data Protection Act legislation, which is now stalled in Europe for another 12-24 months as well, that exemption is there," Jennings points out. "As long as they're only getting access to the data, and not actually leaking it into the public domain."
There appears to be no new liability burden on the channel partner that is honest and up-front about what protection can be guaranteed. At the same time, if customers previously have been reluctant to buy the more expensive kit with encryption built into it, now they may be encouraged to do so where possible.
The ongoing NSA revelations actually give channel partners a new tool for selling more security offerings, Jennings suggests.
Ian Kilpatrick, chairman of security VAD Wick Hill Group, says of course the issue of hardware backdoors is important and must be addressed. So far the story has just scratched the surface, with repercussions on big US players - including cloud vendors and kit makers like Cisco - still to play out commercially.
"This story has a way to run," he says. "Folks like Cisco have already seen the impact on their bottom line."
However, whether customers are concerned - or should be - really depends on their current risk awareness and their profile as an organisation. Certain types of customer, in other words, may well have legitimate concerns that must be addressed by the channel.
"The channel is still struggling with the issues - although the revelations have affected vendors into the Asia-Pacific already," notes Kilpatrick (pictured, above, right). "I would suggest reviewing security in the light of the potential risk. That way they can be protected against non-government agencies attacking them."
This means keeping those patches up to date, applying multiple layers of security, encrypting to as high a level as possible - both inside and outside the gateway - using two-factor authentication (2FA) and identity management, using VPNs and next-generation firewalling, and not leaving devices unencrypted either. Protect against advanced persistent threats and use the reporting tools available.
All this sort of thing goes a long way towards protecting organisations, although some may have felt it an unnecessary expense.
When it comes to liability in the event of a breach by the NSA or other government bodies, though, the truth is that you will probably never find out you've been breached. If they fall under suspicion, such organisations would surely deny involvement in commercial espionage anyway, notes Kilpatrick.
"This is all currently secret, so you won't. Also, since they appear to be utilising the Five-Eyes relationship [a series of bilateral agreements between the US, UK, Australia, Canada and New Zealand] to circumvent domestic regulation, different territories are able to hide the extent of data breaches," he concludes.
Phil Lieberman, president and chief executive of vendor Lieberman Software, agrees, saying: "Customers are generally not bothered - since there is little to nothing they can do about it."
Perhaps they should in some cases be concerned, he says, but the issue is really well above their heads and capabilities, since it is part of a larger, global ecosystem - as it were - that is operated at the federal government level.
Lieberman notes that running devices within the firewall of the company is likely to prove the best defence. Expose as few devices as possible to the public internet, and if an externally exposed device could be the leakage point, customers should consider the use of a "defence in depth strategy" - which is the one he favours most. This may mean using a cascaded devices structure, such as the firewall of one manufacturer in line with another firewall from a different manufacturer.
"Most of these are scenarios where password protected devices with accounts can be bypassed via secret URLs or malformed TCP/IP packets. In some cases these are not intentional flaws, and in other cases, who knows?" Lieberman (pictured, left) says.
"The best thing the channel can do is to stay alert when it comes to devices that harbour discovered vulnerabilities, and clear your stock. Also, alert customers if they may have previously purchased these devices."
Vendors of vulnerable devices are never liable since their end-user licence agreement (EULA) protects them, and "weaknesses and stupidity" cannot be legislated away by the EU or anyone else. However, if you're looking for evidence of possible leaks, Lieberman suggests using a SYSLOG server and SIEM (security information and event management) to track device use, as most that are out today have SYSLOG logging capabilities.
"Look for log-ins within your firewall and device logs," Lieberman recommends.
Andy Aplin, technical director at managed security services provider Accumuli Security, also recommends the defence in depth strategy, with plenty of SIEM, monitoring and reporting across the entire IT ecosystem to work out what's going on. Open sourcing everything isn't necessarily the answer, either.
Initially, he says, the opportunity should be addressed by offering risk assessments and audits to customers, as well as explaining what risk there might be in relation to their specific organisational profile. Some have intellectual property they must protect, for example.
"We have not had a massive amount of feedback about this issue. But, in October at Accumuli World last year, a couple of people asked if we had heard of this, of backdoors being put in by vendors. And that's as far as it went," Aplin says. "I don't think it's something that's high on end user priorities at the moment."
Nevertheless, the issue is worth addressing from the channel point of view and going beyond the anodyne PR denials put out over the New Year by OEMs involved. This threat is an opportunity - and, Aplin agrees, what makes anyone think a large organisation's PR or marketing people are ever really told what's happening anyway?
So for customers, it comes down to their business, and the risk they want to take. It's the channel's role to guide their decision as well as to provide the solution they seek.