Did You Buy a Security Hole?

In speaking to a friend who works for an organization that provides products and services to the federal government, he lamented that he had trouble finding wares that meet his security requirements. What started as a conversation has grown into this blog. Did you know about the concern of security vulnerabilities related to products and services that use foreign technology and software? I had read about a few, but hadn't been that tuned in.

To start, here are some examples of companies in the news on this topic:

  • Kaspersky -- As explained in a September 2017 article by The Washington Post, the U.S. government is banning the use of Kaspersky Lab security software by federal agencies over concerns that the company has ties to state-sponsored cyberespionage activities. According to the article, Department of Homeland Security (DHS) issued a binding directive that ordered federal civilian agencies to identify Kaspersky software on their networks, and remove it after 90 days, unless otherwise directed. Because of Kaspersky's presumed connections to the Russian government, the DHS said it believes the software poses a security risk, as the Post reported.

    The October 2017 Wired article, "Kaspersky, Russia, and the Antivirus Paradox," provides an update, and notes separate reports that have indicated that Russia exploited Kaspersky software to invade U.S. systems for classified data. In another case, Wire reported, North Korea hacked into classified South Korean military files through antivirus software.

  • Huawei and ZTE --

    In January, tech publication Where Consumers Come First Tech posted an article discussing a potential ban on use of Huawei and ZTE products due to the companies' alleged connections with the Chinese government. Congressman Mike Conaway introduced a bill designed to bring a ban on all the phones, equipment, and services by these companies. The "Defending U.S. Government Communications Act" cites concern that these companies could potentially share national security and corporate intellectual property data with the Chinese government.

  • Lenovo -- Last fall, the Federal Trade Commission posted an article notifying consumers about pre-installed software on some Lenovo computers that caused security vulnerabilities. Installed on Lenovo laptops between August 2014 and June 2015, the VisualDiscovery software is an adware program that shows comparable products when you shop online. It puts personal information -- login credentials, Social Security numbers, and financial account information, for example -- at risk by transmitting user browsing information to software-maker Superfish without telling the user.

Be In the Know

Frustrated that he couldn't find a VoIP/UC provider that didn't present any security problems or have holes in their products and services, my friend reached out to me. Even if based in the U.S., the service providers he looked into use foreign software or have development centers outside the U.S.

If you want to be sure to cover your bases, I suggest you pose the following questions when evaluating potential vendor/providers for security vulnerabilities:

  • Are employee personal computers allowed to access production data?
  • Are webmail accounts allowed on computers with access to production data?
  • Do you conduct internal penetration testing?
  • Do you or your subservice providers allow non-U.S. nationals to access production data?
  • Do you have an ID theft policy?
  • Can you produce an attestation of compliance for your PCI DSS certification, per website? What are you doing to comply?
  • Where are your product support centers located?
  • Do you understand the potential issues that could arise from having support operations in Russia?
  • What options, if any, do you have to support organizations without support infrastructure from Russia or China?
  • Where is application development conducted?
  • Where do you do your testing?
  • Is any version of production data used for testing?

Satisfactory answers to these questions are important, although they're not a guarantee that no security vulnerabilities will be present. Read your contract to ensure that if security issues surface, that the provider, not you, is responsible for the problems. In addition, be sure to specify that the provider address the problems quickly or allow for immediate termination of the contract.