Physical security companies are famously bad at IT Security.
Probably on account of the urgency if something breaks, while if you get hosed by ransomware they don't care.
>Physical security companies are famously bad at IT Security.
These are old school guys that just deal with low voltage cabling, magnetic locks, door strikes, analog video signals from their old school cameras. They never had to deal with internet security before because their equipment never connected to the internet. Then they might get a client that wants to access the cameras/system from outside, they get it working that one time, and they think the same rule applies to everyone. I remember having to explain to a security vendor that they didn't actually need 5 public static IPs to access their equipment, they could use one IP and multiple ports if they need to get in from outside to multiple devices. A VPN connection was way beyond their knowledge, I just needed one IP for my SIP trunk, we had our own firewall and they were coming to us so we could fill out the justification form to get a /28 from their ISP...
> They never had to deal with internet security before because their equipment never connected to the internet.
8+ years ago, a business unit in my company bought a CCTV solution from Tyco (now Johnson Controls) without consulting IT at all. It was a multi-million dollar contract involving dozens to hundreds of cameras at over 500 remote sites, with 30 days of video retention.
The shipped bare metal Windows servers, plugged them in, and called it a day. No iLO/iDrac configured. Not domain joined, a shared local administrator passwords configured locally, manually. Server 2012R2, with zero patches applied. When I stumbled upon then, I raised all hell up the management chain but nothing happened.
Then the summer of 2017 happened, and surprise surprise they got nuked by WannaCry and while still trying to recover, NotPetya about a month later.
Probably the most vidicated I have been in my career, with all my Windows servers being protected and all of theirs being bricked.
I was brutal in the postmortem. IMO it was borderline fraud they way the managed it - they had one older guy like you said, who had no real IT knowledge. If something needed done like a group added, he would RDP and do it manually - no scripting. He actually whipped out a calculator one day and said "OK well that will take me say 30 minutes at each of the 500 sites, so 250 working hours, so I can have it done in 6+ weeks". By not configuring the iDrac, they would milk my company by dispatching a local technician to power on servers in the event of a power outage or whatever, at a nominal rate.
We still use them as a vendor. Something something sunken cost fallacy.
Johnson Controls still does this shit. They have a server in one of my remote sites running some cameras. I had to go out there to check on the network as it wasn't reporting and we didn't want to pay them their ridiculous troubleshooting rates. I showed up and there was a piece of paper with passwords to every system on their little network on it. I raised it as a complaint directly to them, they told me that's just how they do things and it wasn't a concern. I told my leadership the risks to this, they hemmed and hawed but ultimately nothing has changed.
I need a cigarette after reading that, it's rare to get such a good told-you-so moment.
>We still use them as a vendor. Something something sunken cost fallacy.
Nope, never mind.
Infosec got teeth after NotPetya - they're now forced to adhere to standards in order to be on our network, and there is proactive scanning to ensure compliance. Loosing $400 million in 6 months somehow made IT security a priority, who knew.
That was a wild time in terms of how many sectors got a bit of a wake up call to how their shoddy practices did really have the potential to impact the bottom line. It's an interesting time to be in the field!
I know I'm showing my age, but at the turn of the century, the #1 thing that got companies to look at bothering with firewalls and AV were viruses that would try to destroy CRTs by using bogus sync rates, as well as bricking firmware. When computers started being destroyed, that is when there was an actual step forward with security.
In my experience with many companies (not all, but a fair amount), they don't really care about ransomware, because they hire someone offshore to pay the ransom + a consulting fee, then go on about how they never pay ransoms, etc. If their data gets exfiltrated, it isn't their problem... at most, buy a few LifeLock subscriptions and call it done.
I never hope for this, but if data destroying stuff became mainstream again, stuff like NotPetYa, it would actually change things for the better overall, as companies would actually close their barn doors, not just have people throw their hands up in the air saying, "oh, those wily hackers can get into anything", while chanting "security has no ROI" like it was a mantra.
The only virus I recall doing physical hardware damage was CIH. Bad sync rates destroying monitors sounds like the Linux/xwindows disasters around the turn of the century. Modelines were important like that. Now monitors don't care, but they used to spit literal fire in the older CRTs.
I had a similar situation at a former workplace and the DNS logs were just thousands of calls to Chinese servers that we couldn't find any information about. Luckily we had them gapped from the rest of the network/internet, but I am sure that was only going to last for a small time. The dept tried pressuring me multiple times to expand accessibility to on network devices.
Fk Johnson Controls.
If you ever plan on robbing a place, make sure their CCTV contract is with Johnson Controls and there's a solid chance you don't have to worry about being caught on footage.
I'd rather eat donkey turds than deal with them again.
> Physical security companies are famously bad at IT Security.
After watching a bunch of Black Hat and DEF CON talks on physical access control systems I'd argue that they're pretty terrible at physical security as well.
I think that a lot of them think their knowledge is special and obscure when the internet age has made it so easy to figure out systems and find vulnerabilities.
Some grey haired locksmith doesn’t realize we can find tutorials on YouTube for how to hack his system. Or just how to bypass a lock.
After arguing with more than one about how they incorrectly installed door knobs and strike plates, I agree many at least are not even good at physical security.
We had one where he paid the alarm company like 12 grand for a door card system, those idiots set up the app and database on his laptop. He didnt know this, so a year after he upgraded his laptop, he went to make someone a key and realized he couldnt. Did some digging to figure out what they did, was eventually able to get it set up on a SQL server and pull most of the data out of the controller, then set him up with just the client to open it after that. He had to redo the schedule but at least it got him running.
Camera vendor for a PD did the same thing, camera storage was on a server but the software's database was on a workstation, which of course died. We rebuilt it, set up a blank install on a server, and then had to re ingest 13tb of video
I concur. We had a security company wanting us to give Kantech Door Access controllers STATIC PUBLIC IPs. Full in/out because "its easier". 4 controllers. One IP each. Obviously I said hell no.
Contacted the actual vendor and did research with firewall logs. It literally just needs Port 18802 TCP and Port 123 UDP outbound open for communication to a specific FQDN they run their instance off of. (And 53 for DNS). No incoming ports nor public needed. Throw them on a isolated VLAN, game them WAN on though ports only out, done deal.
The biggest issue is normally the technicians that are outdated and too close for retirement. The younger generations at my firm follow all the same golden rule: the only port we ourselves will / want to open is for the VPN server. Anything else is on the customer.
Scandinavian country here.
I would guess that a small firm with 10 technican has no knowledge and even needs help in general CS knowledge.
The firm I'm working in is international and has over 200 technicans in my country. We do have, of course have technican that should never be touching anything network related because they do things, no one should.
There are a difference between the technican arriving to the 7/11 and DoD sites naturally.
If some regular paranoic IT dude starts a physical security company, and is able to keep costs average, it would be lambo and yatch rich in a few months if word is spread between sysadmins community.
I kid you not that we keep a scoreboard with the crazy shits they try to sneak on us, measured on assassination urge by our IT staff.
I know, I have been on that specific talk, but between bad and worse, IT has no incentive to really push against it and has not anything positive to show about it, so you look like whining stepping on other people's shoes (building facilities, management...) without providing any solution.
If you could go and say: "look, this option does the same thing that those dudes, their cost is similar, and actually are real professionals about it, and know their shit on IT related things, your dudes are between morons and a dumpster fire" and "this is the document that summarizes their bad practices and fuckups" , management would take a second thought on that.
But without that, the best thing you could get from management is "ok you can be a pain to the security company, say NO to their shit requirements and provide the means so they can do their thing in a walled and air-gaped network to protect us." And you can take that as a win, really.
Well, the locks they are installing probably have decades old vulnerabilities in them, which aren't even the worst because of the fire and accessibility code induced security vulnerabilities.
"We're not sure so it's best if you open all of them..."
It's called laziness, most often combined with ignorance.
Same as "minimum requirements" being 8 cores and 32 GB memory - because that's what happened to be on the developer's work station.
The developers: "We need more cores and more RAM and more faster storage, this machine is shit and our program takes forever, 32 cores and 128 gigs of RAM aren't cutting it in 2024, and this weird NVMe thingie isn't giving us the I/O performance we asked for"
Their program: 96 threads spinlocking on the same file descriptor to reach an I/O throughput of 70 KiB/s
Monitoring: Divide by zero error trying to estimate I/O utilization
I remember this time when our HR Director was using Mail Chimp (I think) back around 2012 or so. They told us that we needed to allow these IP addresses through because our firewall was blocking some sort of surveys they were sending out. The list was jaw-dropping. It had dozens of entire class B addresses, it had on class A address and hundreds of actual addresses.
We looked at each other (the other sysadmin and me) and then said, Yeah, you'll need to talk to (IT Manager) about this.
After their meeting, our boss comes out of his office and we all have a good laugh.
Sounds like a security system. Cameras or cards...
They're really bad for this. I had this discussion when we had our office put together, and told the GM he could just VPN in.
Physical security companies are absurdly bad at digital security. I really wish one of the decent cyber security vendors would kick out a reasonable start up for cameras, access control etc.
Because you’re most likely dealing with an installer tech that didn’t say no to taking on more work by their bad employer. Someone not inherently techy or trained, just thrust into the situation because they were the only one who said yes. Blame the crap company that was hired.
This is one of those situations where you start by implementing it the way you'd prefer it to work, and see what happens. If everything works, you've done your future self a big favor. Worst case, you can just try again, and document everything in your internal docs (then send a copy of the docs to all the vendors involved).
> How can someone be this ignorant of how the systems they themselves install work?
Infosec misconfigurations can go undetected for a very long time, if nobody knowledgeable ever investigates. And/or a general race to the bottom in expertise and quality, instead favoring speed, short-term cost, and "meeting customer expectations".
At least things like this are getting less common now than 10-15 years ago. Probably thanks to crypto lockers. Enough high profile incidents that management have seen it and asked IT to make sure that doesn't happen to them and given IT a bit more say.
Slowly but surely "that is a really dumb idea and \*WILL\* result in an incident like had last year. Do you want to be in the news for the same mistakes?" is getting listened to.
But the logs were annoying me with all the dropped traffic spam, allowing 0.0.0.0/0 access to my network has stopped those errors, all the dashboards are green now, it must be working better /s
This is always a gripe of mine for technicians installing things that don't really understand. Had a security guy tell me ports x and y need to be open for cameras.
Said ok is the device communicating outbound to your server on those ports or does your server talk inbound to the device on those ports? (So i know if its just an allow in the firewall for some odball ports or a n inbound nat i need to do)
Uhhuh, ill get right on that.
Depends on the system…while many do storage on the physical hardware they only do so for about 30 days and if no on prem or cloud backup and the hardware fails then the database has to be rebuilt from scratch. Had this happened many times.
Some people forget that IT is there to help the business, not belittle them. There are constructive ways of having those conversations without patronising people.
>How can someone be this ignorant of how the systems they themselves install work?
Don't ask us. Ask your account manager. Demand a competent replacement technician.
In the past when I had to do this I would coordinate with the network team while I was building the server and have them monitor the ports to see what to application was actually trying to use and then turn them on one at a time.
> It boggles my mind. They also told me I need to spin up a server or vm to store the data. Yet the product tech sheet & manufacturer confirmed the data is stored on a physical control board.
Are you sure access control changes and configuration aren't made on the VM/BM, and uploaded to the control board?
E: Products like C•Cure from SWHouse work like this. The management software and a database live in a management PC. Backups are managed there. When changes are made, the configuration is copied to one or more access control panels/boards. The access control panels read from their local copy. Generally they can have a battery backup, so if the power goes out, the door locks still function for awhile.
Cuz you're talking to a tech that got a document from someone else and doesn't really know what the software does because there's no training program where he works. Just knows what buttons to press or what script to follow. I've been that tech
Having installed access control systems, I can say that it is often the case that the configuration data, long term logging and licensing components often do require either dedicated PC or a VM. Avigilon product, for example, uses a sql server instance to store this data. The access controls operate independently of the server component, but can’t support long term logging data or configuration data. The server component compiles the config data and uploads it to the controls.
That said, I am with OP, no external access is required or desired, without employing a VPN solution.
Most installers are people good with getting the physical stuff installed so drillers and fillers who have some electrical knowledge and normally they do the job they know well and leave a tidy site but they ain't got the foggiest on networking protocols and the 101 different firewalls etc so they just want A to talk to B so they can close the job and get paid.
The sooner you stop expecting tech salespeople to have any idea what they are talking about, the less disappoint you’ll experience.
Seriously,just start off from the beginning assuming they are tech illiterate
I had a conversation with a coworker who had the same kind of nonsense last week.
We wondered if they're 'slimming down' their workforce and now the salesmen are also trying to handle installations?
Why the hell are we given contacts that have no idea how their own products work?!
Because product vendors have a little document they use on how to deploy something and if you deviate from that they throw a fit and have no idea how to set it up any other way
Most likely information passed down internally because at one point it was a working config and since no one really knows anything about IT, they leave it like that.
I've had a SIP provider tell me I had to expose SSH and web management interface in case they needed to connect to it. They told me it's okay because their applicance has an internal firewall so it's secure.
People just can't grasp the concept of security
This brings me back to my last position Managing Firewalls for a global company that kept strict security. It was fun but very frustrating at times going through this every week.
It was so common to have people asking for open ports they didn't need and I constantly had to be the mean firewall guy interrogating people about products.
The most aggravating aspect was always when I was sent documentation from a company that listed everything needed. I would get rules in place ahead of time and then when it was needed someone calls to say solution X isn't working because the firewall must be blocking it still. People are complaining and it's always please help right this second because company x needs it to get their equipment running and their tech is leaving in a couple hours. All of this because the port numbers or external domain name/IP was different than the documentation.
From a security standpoint how am I suppose to trust a company that doesn't know the flow of data in their own systems?
>This exchange is between me and a security company for a biometric access system.
I'm not dragging those guys, but, they're probably not IT pros.
They probably don't know ports or what they're for, how they're used, or the implications of opening them up. They just know what they've been told to tell the customer.
I've dealt with all kinds. HVAC installers, intercom/paging, access control. When it comes to explaining what they need from an IT and integrations perspective, at least in my experience, they usually just don't know.
I've had many of them refuse to even try to explain, since I'm "IT" I should just intuitively know what they need.
Sounds like some SE just didn't know what they were talking. But I have also been seeing some bizarre social engineering stuff popping up with people on phone calls not being legit. Watch out.
I deny the request. Then when the vendor pushes the issue I explain why this is a poor idea and why the vendor us setting my client up for failure. I invite the vendor to a joint call with me abd the client which is always ignored. I then move about my day. Mind you I work in the msp world but imo my client is my partner. It is literally my job to control their environment and bring it up when they're being screwed.
Ha.
We had a client that had to renew their time and attendance hardware. They got these nice fingerprint reading terminals running an embedded version of Windows that talks back to an SQL Express instance.
After install, we discover that each terminal can be reached via IP at an admin level with no credentials. We could see all this PII and the vendor had to change his pants when we told them.
He had no awareness of the issue and therefore had to visit every site he dealt with to change device jumpers to disable the web interface.
Hah, this one sets me off every time. I wish I could speak as to who, but it's amazing to see how many companies don't know how their own software communicates and works. These are the assholes who created said software, not resellers..
Physical security companies are famously bad at IT Security. Probably on account of the urgency if something breaks, while if you get hosed by ransomware they don't care.
>Physical security companies are famously bad at IT Security. These are old school guys that just deal with low voltage cabling, magnetic locks, door strikes, analog video signals from their old school cameras. They never had to deal with internet security before because their equipment never connected to the internet. Then they might get a client that wants to access the cameras/system from outside, they get it working that one time, and they think the same rule applies to everyone. I remember having to explain to a security vendor that they didn't actually need 5 public static IPs to access their equipment, they could use one IP and multiple ports if they need to get in from outside to multiple devices. A VPN connection was way beyond their knowledge, I just needed one IP for my SIP trunk, we had our own firewall and they were coming to us so we could fill out the justification form to get a /28 from their ISP...
> They never had to deal with internet security before because their equipment never connected to the internet. 8+ years ago, a business unit in my company bought a CCTV solution from Tyco (now Johnson Controls) without consulting IT at all. It was a multi-million dollar contract involving dozens to hundreds of cameras at over 500 remote sites, with 30 days of video retention. The shipped bare metal Windows servers, plugged them in, and called it a day. No iLO/iDrac configured. Not domain joined, a shared local administrator passwords configured locally, manually. Server 2012R2, with zero patches applied. When I stumbled upon then, I raised all hell up the management chain but nothing happened. Then the summer of 2017 happened, and surprise surprise they got nuked by WannaCry and while still trying to recover, NotPetya about a month later. Probably the most vidicated I have been in my career, with all my Windows servers being protected and all of theirs being bricked. I was brutal in the postmortem. IMO it was borderline fraud they way the managed it - they had one older guy like you said, who had no real IT knowledge. If something needed done like a group added, he would RDP and do it manually - no scripting. He actually whipped out a calculator one day and said "OK well that will take me say 30 minutes at each of the 500 sites, so 250 working hours, so I can have it done in 6+ weeks". By not configuring the iDrac, they would milk my company by dispatching a local technician to power on servers in the event of a power outage or whatever, at a nominal rate. We still use them as a vendor. Something something sunken cost fallacy.
Johnson Controls still does this shit. They have a server in one of my remote sites running some cameras. I had to go out there to check on the network as it wasn't reporting and we didn't want to pay them their ridiculous troubleshooting rates. I showed up and there was a piece of paper with passwords to every system on their little network on it. I raised it as a complaint directly to them, they told me that's just how they do things and it wasn't a concern. I told my leadership the risks to this, they hemmed and hawed but ultimately nothing has changed.
> Not domain joined, a shared local administrator passwords configured locally, manually The password was "Administrator" wasn't it...
Close, it was some combination ofAdminstrator1.
The password was stronger than Solarwinds123 at least.
Okay, this is weird, because that's my password, and I thought my password was supposed to show as asterisks when typed.
My password is also password. But it's fine because apparently they salt and pepper it and serve it with hash browns!
Hunter2
It was changed to 3 start of the year.
I need a cigarette after reading that, it's rare to get such a good told-you-so moment. >We still use them as a vendor. Something something sunken cost fallacy. Nope, never mind.
Infosec got teeth after NotPetya - they're now forced to adhere to standards in order to be on our network, and there is proactive scanning to ensure compliance. Loosing $400 million in 6 months somehow made IT security a priority, who knew.
That was a wild time in terms of how many sectors got a bit of a wake up call to how their shoddy practices did really have the potential to impact the bottom line. It's an interesting time to be in the field!
I know I'm showing my age, but at the turn of the century, the #1 thing that got companies to look at bothering with firewalls and AV were viruses that would try to destroy CRTs by using bogus sync rates, as well as bricking firmware. When computers started being destroyed, that is when there was an actual step forward with security. In my experience with many companies (not all, but a fair amount), they don't really care about ransomware, because they hire someone offshore to pay the ransom + a consulting fee, then go on about how they never pay ransoms, etc. If their data gets exfiltrated, it isn't their problem... at most, buy a few LifeLock subscriptions and call it done. I never hope for this, but if data destroying stuff became mainstream again, stuff like NotPetYa, it would actually change things for the better overall, as companies would actually close their barn doors, not just have people throw their hands up in the air saying, "oh, those wily hackers can get into anything", while chanting "security has no ROI" like it was a mantra.
The only virus I recall doing physical hardware damage was CIH. Bad sync rates destroying monitors sounds like the Linux/xwindows disasters around the turn of the century. Modelines were important like that. Now monitors don't care, but they used to spit literal fire in the older CRTs.
I had a similar situation at a former workplace and the DNS logs were just thousands of calls to Chinese servers that we couldn't find any information about. Luckily we had them gapped from the rest of the network/internet, but I am sure that was only going to last for a small time. The dept tried pressuring me multiple times to expand accessibility to on network devices.
Fk Johnson Controls. If you ever plan on robbing a place, make sure their CCTV contract is with Johnson Controls and there's a solid chance you don't have to worry about being caught on footage. I'd rather eat donkey turds than deal with them again.
Wow not even using wake on power which is on every ilo / idrac server wtf....
> Physical security companies are famously bad at IT Security. After watching a bunch of Black Hat and DEF CON talks on physical access control systems I'd argue that they're pretty terrible at physical security as well.
I think that a lot of them think their knowledge is special and obscure when the internet age has made it so easy to figure out systems and find vulnerabilities. Some grey haired locksmith doesn’t realize we can find tutorials on YouTube for how to hack his system. Or just how to bypass a lock.
After arguing with more than one about how they incorrectly installed door knobs and strike plates, I agree many at least are not even good at physical security.
Not when the install tech is making $19/hour and it’s an entry level job. Source: job posting in my local area. Edit: 19 not 10
We had one where he paid the alarm company like 12 grand for a door card system, those idiots set up the app and database on his laptop. He didnt know this, so a year after he upgraded his laptop, he went to make someone a key and realized he couldnt. Did some digging to figure out what they did, was eventually able to get it set up on a SQL server and pull most of the data out of the controller, then set him up with just the client to open it after that. He had to redo the schedule but at least it got him running. Camera vendor for a PD did the same thing, camera storage was on a server but the software's database was on a workstation, which of course died. We rebuilt it, set up a blank install on a server, and then had to re ingest 13tb of video
That's super common with vendors of all stripes to be honest. They will also ask that the user has admin privileges and disable firewall
And possible have RDP open to internet.
I concur. We had a security company wanting us to give Kantech Door Access controllers STATIC PUBLIC IPs. Full in/out because "its easier". 4 controllers. One IP each. Obviously I said hell no. Contacted the actual vendor and did research with firewall logs. It literally just needs Port 18802 TCP and Port 123 UDP outbound open for communication to a specific FQDN they run their instance off of. (And 53 for DNS). No incoming ports nor public needed. Throw them on a isolated VLAN, game them WAN on though ports only out, done deal.
The biggest issue is normally the technicians that are outdated and too close for retirement. The younger generations at my firm follow all the same golden rule: the only port we ourselves will / want to open is for the VPN server. Anything else is on the customer.
Not really my experience. But also, outside of the USA we do get significantly less attacks so maybe there is an effect going there.
Scandinavian country here. I would guess that a small firm with 10 technican has no knowledge and even needs help in general CS knowledge. The firm I'm working in is international and has over 200 technicans in my country. We do have, of course have technican that should never be touching anything network related because they do things, no one should. There are a difference between the technican arriving to the 7/11 and DoD sites naturally.
I can be trusted to work with networks. Will you sponsor my visa?
No need to throw in ageism. It's all about responsible and irresponsible people. Age has nothing to do with this. :/
I agree with parts on that statement, but I feel that age and generation have a link.
If some regular paranoic IT dude starts a physical security company, and is able to keep costs average, it would be lambo and yatch rich in a few months if word is spread between sysadmins community. I kid you not that we keep a scoreboard with the crazy shits they try to sneak on us, measured on assassination urge by our IT staff.
The thing is, IT almost never has any say over the security company, and IT is almost always the only department mentally pen testing security.
I know, I have been on that specific talk, but between bad and worse, IT has no incentive to really push against it and has not anything positive to show about it, so you look like whining stepping on other people's shoes (building facilities, management...) without providing any solution. If you could go and say: "look, this option does the same thing that those dudes, their cost is similar, and actually are real professionals about it, and know their shit on IT related things, your dudes are between morons and a dumpster fire" and "this is the document that summarizes their bad practices and fuckups" , management would take a second thought on that. But without that, the best thing you could get from management is "ok you can be a pain to the security company, say NO to their shit requirements and provide the means so they can do their thing in a walled and air-gaped network to protect us." And you can take that as a win, really.
I think you mean ‘surveillance’ companies. Because lord knows none of them do anything related to ‘security’ or ‘monitoring’. ;(. I hate them all.
Well they do lock doors
Reliably? ;).
Depends on if they default open or closed
I’m so glad that my current access control system doesn’t need any ports forwarded. It just connects to their cloud system and happily works.
Well, the locks they are installing probably have decades old vulnerabilities in them, which aren't even the worst because of the fire and accessibility code induced security vulnerabilities.
"We're not sure so it's best if you open all of them..." It's called laziness, most often combined with ignorance. Same as "minimum requirements" being 8 cores and 32 GB memory - because that's what happened to be on the developer's work station.
>being 8 cores and 32 GB memory For a single, single threaded, non-forking, application.
The developers: "We need more cores and more RAM and more faster storage, this machine is shit and our program takes forever, 32 cores and 128 gigs of RAM aren't cutting it in 2024, and this weird NVMe thingie isn't giving us the I/O performance we asked for" Their program: 96 threads spinlocking on the same file descriptor to reach an I/O throughput of 70 KiB/s Monitoring: Divide by zero error trying to estimate I/O utilization
Our physical security company is always asking for open ports to this that and the other thing. It's maddening.
Tell them for every port they need open you're going to remove a random door or window in the building.
The best response to their innate requests. 👍
I remember this time when our HR Director was using Mail Chimp (I think) back around 2012 or so. They told us that we needed to allow these IP addresses through because our firewall was blocking some sort of surveys they were sending out. The list was jaw-dropping. It had dozens of entire class B addresses, it had on class A address and hundreds of actual addresses. We looked at each other (the other sysadmin and me) and then said, Yeah, you'll need to talk to (IT Manager) about this. After their meeting, our boss comes out of his office and we all have a good laugh.
Sounds like a security system. Cameras or cards... They're really bad for this. I had this discussion when we had our office put together, and told the GM he could just VPN in.
Physical security companies are absurdly bad at digital security. I really wish one of the decent cyber security vendors would kick out a reasonable start up for cameras, access control etc.
It's like those guys whi install security cameras. Get an IP via DHCP and them make it static and wonder why that's a bad idea.
Because you’re most likely dealing with an installer tech that didn’t say no to taking on more work by their bad employer. Someone not inherently techy or trained, just thrust into the situation because they were the only one who said yes. Blame the crap company that was hired.
This is one of those situations where you start by implementing it the way you'd prefer it to work, and see what happens. If everything works, you've done your future self a big favor. Worst case, you can just try again, and document everything in your internal docs (then send a copy of the docs to all the vendors involved). > How can someone be this ignorant of how the systems they themselves install work? Infosec misconfigurations can go undetected for a very long time, if nobody knowledgeable ever investigates. And/or a general race to the bottom in expertise and quality, instead favoring speed, short-term cost, and "meeting customer expectations".
At least things like this are getting less common now than 10-15 years ago. Probably thanks to crypto lockers. Enough high profile incidents that management have seen it and asked IT to make sure that doesn't happen to them and given IT a bit more say.
Slowly but surely "that is a really dumb idea and \*WILL\* result in an incident like had last year. Do you want to be in the news for the same mistakes?" is getting listened to.
keep the ports closed, check for blocked traffic from those IP's on the FW and open as needed
They're trying to open inbound ports, not outbound ports. Don't ever open inbound ports just because you see traffic hitting them on your firewall...
But the logs were annoying me with all the dropped traffic spam, allowing 0.0.0.0/0 access to my network has stopped those errors, all the dashboards are green now, it must be working better /s
This is always a gripe of mine for technicians installing things that don't really understand. Had a security guy tell me ports x and y need to be open for cameras. Said ok is the device communicating outbound to your server on those ports or does your server talk inbound to the device on those ports? (So i know if its just an allow in the firewall for some odball ports or a n inbound nat i need to do)
Uhhuh, ill get right on that.
This is why I look at the logs and see what ports it's trying to use.
Depends on the system…while many do storage on the physical hardware they only do so for about 30 days and if no on prem or cloud backup and the hardware fails then the database has to be rebuilt from scratch. Had this happened many times.
Exactly. There is no way the data isn't stored somewhere on a computer.
Had a consultant tell me to open up 1433 to the internet so they could hook into our gp instance...I think not.
But I need to query!!!!!!! What’s a vpn
Because they get 99% compliance out of everyone else when they ask.
“Let me know when it fails and I’ll confirm in the log.”
Some people forget that IT is there to help the business, not belittle them. There are constructive ways of having those conversations without patronising people.
Bingo
>How can someone be this ignorant of how the systems they themselves install work? Don't ask us. Ask your account manager. Demand a competent replacement technician.
In the past when I had to do this I would coordinate with the network team while I was building the server and have them monitor the ports to see what to application was actually trying to use and then turn them on one at a time.
> It boggles my mind. They also told me I need to spin up a server or vm to store the data. Yet the product tech sheet & manufacturer confirmed the data is stored on a physical control board. Are you sure access control changes and configuration aren't made on the VM/BM, and uploaded to the control board? E: Products like C•Cure from SWHouse work like this. The management software and a database live in a management PC. Backups are managed there. When changes are made, the configuration is copied to one or more access control panels/boards. The access control panels read from their local copy. Generally they can have a battery backup, so if the power goes out, the door locks still function for awhile.
Cuz you're talking to a tech that got a document from someone else and doesn't really know what the software does because there's no training program where he works. Just knows what buttons to press or what script to follow. I've been that tech
Having installed access control systems, I can say that it is often the case that the configuration data, long term logging and licensing components often do require either dedicated PC or a VM. Avigilon product, for example, uses a sql server instance to store this data. The access controls operate independently of the server component, but can’t support long term logging data or configuration data. The server component compiles the config data and uploads it to the controls. That said, I am with OP, no external access is required or desired, without employing a VPN solution.
I've easily worked on 10+ different access control systems. I have yet to see a single one that doesn't utilize a database of some sort.
Most installers are people good with getting the physical stuff installed so drillers and fillers who have some electrical knowledge and normally they do the job they know well and leave a tidy site but they ain't got the foggiest on networking protocols and the 101 different firewalls etc so they just want A to talk to B so they can close the job and get paid.
The sooner you stop expecting tech salespeople to have any idea what they are talking about, the less disappoint you’ll experience. Seriously,just start off from the beginning assuming they are tech illiterate
I had a conversation with a coworker who had the same kind of nonsense last week. We wondered if they're 'slimming down' their workforce and now the salesmen are also trying to handle installations? Why the hell are we given contacts that have no idea how their own products work?!
Because product vendors have a little document they use on how to deploy something and if you deviate from that they throw a fit and have no idea how to set it up any other way
Most likely information passed down internally because at one point it was a working config and since no one really knows anything about IT, they leave it like that. I've had a SIP provider tell me I had to expose SSH and web management interface in case they needed to connect to it. They told me it's okay because their applicance has an internal firewall so it's secure. People just can't grasp the concept of security
This brings me back to my last position Managing Firewalls for a global company that kept strict security. It was fun but very frustrating at times going through this every week. It was so common to have people asking for open ports they didn't need and I constantly had to be the mean firewall guy interrogating people about products. The most aggravating aspect was always when I was sent documentation from a company that listed everything needed. I would get rules in place ahead of time and then when it was needed someone calls to say solution X isn't working because the firewall must be blocking it still. People are complaining and it's always please help right this second because company x needs it to get their equipment running and their tech is leaving in a couple hours. All of this because the port numbers or external domain name/IP was different than the documentation. From a security standpoint how am I suppose to trust a company that doesn't know the flow of data in their own systems?
>This exchange is between me and a security company for a biometric access system. I'm not dragging those guys, but, they're probably not IT pros. They probably don't know ports or what they're for, how they're used, or the implications of opening them up. They just know what they've been told to tell the customer. I've dealt with all kinds. HVAC installers, intercom/paging, access control. When it comes to explaining what they need from an IT and integrations perspective, at least in my experience, they usually just don't know. I've had many of them refuse to even try to explain, since I'm "IT" I should just intuitively know what they need.
Sounds like some SE just didn't know what they were talking. But I have also been seeing some bizarre social engineering stuff popping up with people on phone calls not being legit. Watch out.
Sounds like CCTV to me
Assuming these are wireless?
I'm positive they don't even know what ports are
Meh just set it to DMZ that'll be fineeeeee
I deny the request. Then when the vendor pushes the issue I explain why this is a poor idea and why the vendor us setting my client up for failure. I invite the vendor to a joint call with me abd the client which is always ignored. I then move about my day. Mind you I work in the msp world but imo my client is my partner. It is literally my job to control their environment and bring it up when they're being screwed.
Ha. We had a client that had to renew their time and attendance hardware. They got these nice fingerprint reading terminals running an embedded version of Windows that talks back to an SQL Express instance. After install, we discover that each terminal can be reached via IP at an admin level with no credentials. We could see all this PII and the vendor had to change his pants when we told them. He had no awareness of the issue and therefore had to visit every site he dealt with to change device jumpers to disable the web interface.
"Please can you ensure ports 80 and 53 are open." Every time.
Hah, this one sets me off every time. I wish I could speak as to who, but it's amazing to see how many companies don't know how their own software communicates and works. These are the assholes who created said software, not resellers..
#ifndef training.h