After conducting a number of third party reviews over the years, I thought I would write up a sample of some of the common assumptions organisations make in thinking the third party is securely protecting their best interests. The scope of this blog will be for either a link to a nationally highly secure environment or an international secure environment.

I am going to skip all the audit items listed in an ISO standard as these can be downloaded and checked off as part of any security & risk baseline review. There are some pretty comprehensive audit documents up on the Isaca website and also papers in their journal!

Firstly, I want to lay out the scenery: You have engaged a third party vendor who has a dedicated site. They are to connect over a cloud using a VPN  tunnel (Internet, MPLS, IPLC). They come in through your third party connection DMZ (hopefully) where they are authenticated (2FA with tokens) and then authorised (AD, Novell, etc) where a virtual machine is pushed back using some middleware (Windows RPC, Citrix, Desktop Broker, XEN, etc). So in a nutshell it looks like this 

Third Party <-> Cloud <-> Organisation DMZ  <-> Organisation Applications & Databases

The third party has provided you with a slide deck that outlines how secure their site is…It probably goes a little something like this -> We have a global footprint and can “follow the sun” -> we are “IOS/IEC 27001:2005” certified- > our ODC/Production floor set up is a simple 1,2, 3, 4 process (no dramas as long as we dictate what you require) ->our networks are secure as we use “firewalls” and “virus scan” with an “IPS” -> our hardware is secure as they are “hardened” -> we follow all the high level security controls -> we have an in-built security team with “incident response”, DR and BCP options -> You know the spiel

Each one of the above items, both the infrastructure and the slides can easily be picked apart, but one section I really want to hone in on is something I raised at a Citrix education workshop a number of years ago.

Let’s assume you follow what the vendor has laid out for you above and you also have a highly secure vendor connection set-up. After all, you spent money having it designed by Architects, having it reviewed by Risk, having it penetration tested by Security, and finally having it audited by an external firm. This end-to-end remote connection infrastructure is tight!

But none of the above is really that important when you go and give the guys on the other end the keys to access your back-end systems. I guess I shouldn’t say it isn’t important, but more that it becomes superficial. Much like how a boat with an awesome motor is superficial when there is a hole in the bottom.

What I have noticed with a number of security/risk professionals is that once they start hearing those buzz words like firewall, VPN, 2FA, Citrix with lockdown, physically secure room, swipe card, guard on door, etc. They tick off the boxes on their audit checklist but forget to ask the holistic type of questions. Again, it is much like saying, motor…check, steering wheel…check, double bed with champagne…check, and forgetting to ask if there is a hole in the bottom because the water is still out of view.

As an example, the question I asked at the Citrix seminar was in regards to copying & pasting out of Citrix. Most people quickly assumed I was either an idiot and didn’t know about the options to disable this setting, as well as share drive mappings. They were more then happy to quickly proceed to wind bag about how the configuration settings should look. Again, it is that checklist mentality where I already know about the optional settings as I downloaded it too! Reciting my mums shopping list doesn’t show I am intelligent, it just shows I like to memorise things that could in fact just be written down.

Anyway, the question I was asking was broader…Although you can have all the secure settings enabled, what if the individual on the other end decides to screenshot from their laptop the information that is in their Citrix session?

Surprisingly (or not depending on your view), at the time when I reiterated the question for them, the room went silent. They hadn’t thought about this question before and as such didn’t have a checklist in memory to recite back. They were in a sense a program without a piece of code to execute…”DO NO COMPUTE”. As such, the question was brushed and we moved on.

I didn’t mind at the time, because all I was really doing was pressure testing the awareness of this issue. And what was discovered was a lack of awareness, or said in another way, ignorance. You see, in the above requirements set out by the third party, which you agreed too, they require access to their systems for general operational day-to-day processes. This includes things like, time sheets, intranet sites, FTP sites, Internet access, email access, etc.

So if by chance one of the third party agents decides to run a screen capturing tool all day long whilst performing their job (e.g., production support with customer details, development code with intellectual property, back office work with more customer details, etc), they can be gradually screen scraping this information out unbeknownst to you or the third party – You cannot see this occurring as you have already given them the keys to view this information to perform their job role. And the third party cannot see it as it is not a virus or an exploit of attack that will trigger the Anti-Virus or IPS – In short, you just got hosed.

I have plenty of other nice examples like the above, but this blog is long enough as it is. If ever you would like to discuss any of these, I am always available for a chat.

I just love this stuff… 

Reading any of the last quarters Financial Review and/or BRW magazine, they will tell you about the hot stocks to invest in for 2007. Some of the obvious are the minerals boom, exporting commodities to china and outsourcing IT. This post will focus on the latter “outsourcing IT”. No, I am not going to give you stock advice and ask you to invest in funds such as the CommSec India share fund. Nor am I going to talk about buying into remote connectivity software companies if the outsourcing boom takes off again like it did about 5 years ago. (That is, before they brought most of it back in-house). What this post is about is the increased importance that will be placed on remote connectivity software (e.g. Citrix) as businesses focus on outsourcing to cut costs.

Most network people I speak to about Citrix say two things. It’s better for the network bandwidth and security. Both of these statements are true if Citrix is implemented correctly. A common mistake is that the networking guys will spend all their time fine tuning Citrix to get the most out of the link but will assume that it is already secure. The problem here is that it is not that Citrix is inherently insecure, but more along the lines that the applications that are placed within the Citrix session can lead to Citrix’s undoing.

One of the most common an oldest attacks performed on Citrix is the launching of the command shell. It requires no skill level and is simple to execute. To perform this exploit within a Citrix session requires an application like Windows Explorer. That attacker launches explorer, in the Tool Bar selects File -> Open and a dialog box appears. They then browse to C:\Windows\system32\cmd.exe and right click and select Open. That’s it! Now the attacker has command line access to your Citrix server located within your network. Note, they will be running at the same level they logged in with. Now think about all the other applications that the end user requires and try and lock this down. In addition, other applications like Microsoft SQL Suite allow you to launch applications via the Tools option without having to perform the above.

There is so much to talk about when it comes to Citrix security and this is just one example of many. If you are a Citrix administrator you should be aware of such avenues of attack and probably have removed the File option from the Explorer Tool Bar and/or restricted the browsing to certain types of files (e.g. .txt, .pdf, etc). But remember that any other application may be susceptible to the same avenue of attack and factor in the time to test this problem using either the teams baseline standard and a security professional.