Trusted Vendors?

Viewing 3 reply threads
  • Author
    Posts
    • #7991
      S3curityM0nkey
      Participant

      There has been a lot of talk in the US and Australia about Huawei and if they should be allowed to bid for or supply hardware for project that could be classified as “national infrastructure”.

      Huawei have refuted the claims of both governments that the PLA have too much control of the company and may use it as a tool to infiltrate government networks.

      To prove that there hardware / software in not a threat they have offered to allow governments to inspect the code that runs on there hardware.

      This article is interesting as it points out that even if you find no backdoor in the software when you find a bug and call the Huawei service team you are opening the front door and allowing them full access to your company!

      This doesn’t only go for Huawei, maybe we should all be a little worried about who it is we allow in our data centers! Can you trust IBM / DELL / HP fully?

      I’m not saying that any of the companies listed above are evil, all I am saying is that we should keep this in mind when selecting vendors or partners.

      The Huawei Security Problem Isn’t the Hardware, it’s Engineers Fixing the Bugs.

    • #50724
      rattis
      Participant

      I think the better way of dealing with this, is seeing what other companies provide theses services, and then find out if they can out preform (either in equipment or service) Huawei.

      I get international business, but I’m starting to think it might be worth copying some of China’s model. You want to sell your product here, you have to have a factory making it here. Limited import. Government inspections at random. Etc.

      As for offering to let someone inspect your code… What coding standards are there, how long do they have to inspect it. Are they going to inspect each sub release, and as we all know, just because we can’t find the hole doesn’t mean it’s not there.

    • #50725
      dynamik
      Participant

      @chrisj wrote:

      As for offering to let someone inspect your code… What coding standards are there, how long do they have to inspect it. Are they going to inspect each sub release, and as we all know, just because we can’t find the hole doesn’t mean it’s not there.

      This. Let’s assume it’s acceptable at on the onset; what if something changes five years down the road. If you’re seriously going to use this as an attack platform, you’d be willing to commit to the long-con.

      Regarding third party vendors, Dell, HP, etc., the way I’ve always handled it in the past was to leave any sort of remote access disconnected/disabled until it was needed, and then have someone monitor/oversee everything the technician does. Giving a vendor free-reign 24/7 certainly seems to create an unnecessary exposure.

    • #50726
      rattis
      Participant

      I used to get comments from upper management, and complaints from my staff, that I wouldn’t let “trusted” vendors walk around UN-escorted. Be it the Same guy that had been coming to fix the copiers for years, or the Storage Vendor’s people who were on site 2 days a week at some point.

      Sorry slight thread highjack there. But the point is, just because you use them, doesn’t mean they should be trusted. Argument I’ve started at my current client’s site, and the full time direct-hires have picked up and ran with. Just because they’re a trusted business partner doesn’t mean you give them access to the bank accounts.

Viewing 3 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?