A few notes on "third party risk" services
01-17-2020 06:13 AM - edited 01-17-2020 06:15 AM
Given the increasing importance of cybersecurity these days, a number of companies have popped up which market their "third-party risk assessment" services. Generally, the idea is that if you're about to enter into a relationship with a new vendor, these services will provide you with a grade or score representing that vendor's cybersecurity posture. A low grade or low score represents a vendor that isn't doing a very good job, and thus, logically, doing business with that vendor represents increased risk to your organization and your data.
Aruba regularly gets a grade of "F" (failing) in these services. I've now seen reports from at least four different ratings services. They make claims about everything from "patching cadence" to "IP reputation" to "malware infection", but universally they give Aruba and HPE a rock-bottom score. Given the big emphasis we place on security at Aruba, this might surprise you.
I will resist climbing up on my Security Practitioner Soapbox about what these ratings services can and can't legitimately determine - all I will say is let the buyer beware, and personally I would not spend my money on one of them.
What I do want to address is why Aruba regularly gets such a low score. Typically, all we are shown by a customer is the summary report, which doesn't provide any useful clues. I did find one customer who was kind enough to share a full 495-page report for the 'arubanetworks.com' domain. With that, the problem is relatively easy to spot: "securelogin.arubanetworks.com".
Back in the early days of Aruba (a kinder, simpler time), we began shipping a factory-default SSL certificate on every controller and access point which was assigned the hostname 'securelogin.arubanetworks.com'. This certificate was intended to get customers up and running with Captive Portal very quickly - through some magic in ArubaOS, wireless users connecting to a guest network would make an HTTPS connection to the captive portal and their browser would not show certificate warnings. We also made this certificate be the default certificate for the ArubaOS management interface. Hindsight being 20/20, I can make three observations:
- This was a dumb idea and we never should have done it. Reversing the mistake has proven incredibly difficult and painful, mostly because customers LIKE the feature and complain when we try to remove it.
- When we created this factory-default certificate, we should have created a new domain name and not used 'arubanetworks.com'. Today we've doubled-down on this and now there's also a captive portal certificate under the 'hpe.com' domain name, so we're spreading the problem and making it worse.
- We never should have made the captive portal certificate ALSO the default for the management interface. In ArubaOS 8.x that particular error has been corrected, at least.
That brings us back to the cybersecurity ratings services. What is happening, in short, is that these services are scanning the entire Internet, and every time they hit an HTTPS interface and see a certificate with 'arubanetworks.com', they are assigning that IP address to Aruba. Then, every vulnerability or misconfiguration they can detect with that IP address is attributed to Aruba. And it turns out, a whole lot (a surprising number!) of Aruba's customers attach their Wi-Fi equipment directly to the public Internet and don't firewall any of it. Some of these IP addresses aren't even attached to Aruba equipment anymore - for example, one report shows 27 "Aruba" hosts running an SSH server that supports SSH version 1. Aruba has never supported SSH version 1. You can see a clipping from one of the reports below, to see an example - we do not own any of those IP addresses.
I reached out to two of the reputation services and suggested they could dramatically improve their results by filtering out "securelogin.arubanetworks.com" and "securelogin.hpe.com". Both responded back, letting me know that if we became a customer of theirs, we could then use their published API to request removal of IP addresses, one by one, from our reputation score. To be honest, I have my plate full worrying about my own company's products - I am not going to pay them for the privilege of fixing their products. However, if you are a paying customer of one of these services, and you're seeing the same kind of invalid results, I encourage you to demand that they give you what you're paying for.
Meanwhile, here's a service that I use all the time. It's from Qualys, they kindly make it available for free, the results they give are objective, and it does not claim to measure anything that it can't actually measure. If you're trying to get an idea about a company's Internet-facing security posture without paying for a full pen test, this is one option:
Jon Green, ACMX, CISSP, CISM, and a bunch of other acronyms
Aruba Security CTO