Used Network Security Appliances and End-User Devices: Trust Nothing!
Every business has limited resources, which means they all look for ways to reduce expenses for support functions, including used IT appliances, cybersecurity, and regulatory compliance. Many businesses likely either buy used IT hardware when possible or have considered doing so. After all, a firewall that costs over $14,000 brand-new from the manufacturer may sell for less than $1000 used on eBay. Refurbished computers on Amazon may be sold at 20% — 40% less than new machines. Those cost savings add up.
Buying used, grey market hardware is a little bit like buying a used car: you may save money, but you don’t know how well it works and whether or not it was properly maintained. A poorly maintained car could get the driver killed; poorly maintained IT equipment could get the company hacked. One key difference though is that you can get an idea of the quality of a used car by having a mechanic inspect it and taking it for a test drive. That doesn’t necessarily work with used IT equipment. Checking whether the software is up-to-date, all the security patches are installed, and the device is free of malware is a time-consuming task that can only be done after the equipment has been bought. In that respect, used IT equipment is more like snake-oil than a used car.
Network Appliances and Snake Oil
Economists would probably classify both used IT hardware and snake-oil as credence goods, which are goods whose value is difficult or impossible for a buyer to determine. Snake oil, a traditional Chinese folk remedy, was made from the fat of Chinese water snakes. This fat has a high concentration of eicosapentaenoic acid (EPA) which can reduce some types of inflammation. When merchants in 19th century America tried to copy the remedy by using the fat of American rattlesnakes, the remedy was much less effective. It seems that rattlesnake fat has a much lower concentration of EPA. Consumers could not easily tell the difference between high-quality water-snake oil and ineffective rattlesnake oil, and unscrupulous merchants flooded the market with the cheap, ineffective local product. And that is how snake oil became a euphemism for deceptive marketing or fraudulent remedies.
Similarly, purchasers cannot immediately tell the difference between well-maintained IT hardware and unpatched hardware riddled with malware. Purchasing used equipment is riskier than buying new. With any credence good, including used IT equipment, you need to understand the risks and take steps to mitigate them. Used network appliances may be cheaper, but you must consider the cost of risk mitigation before you buy the equipment.
What are the Risks of Used Network Appliances?
In truth, all IT systems are credence goods to some extent. As anyone who has ever had to perform a vulnerability scan can confirm, all software has vulnerabilities. Research indicates that most software, whether it’s commercial or open-source, contains about 250 security vulnerabilities per million lines of code. That means that an operating system like Windows 10, which may have 50 million lines of code, probably has over 12,000 security vulnerabilities, many of which have not been identified yet. Mitre’s list of known vulnerabilities, the Common Vulnerabilities and Exposures database has over 130,000 entries.
Software is never risk-free. Even if you’re running the latest version on brand-new hardware, vulnerability scans always yield findings. Organizations do not have the time and resources to remediate all the vulnerabilities. After a scan, administrators have to decide which vulnerabilities are remediated and which ones are left alone. According to Verizon’s latest Data Breach Investigations Report, organizations typically patch only 30% of the identified vulnerabilities within 90 days after a scan.
Each organization sets its own priorities for patching, based on the risk the vulnerability presents to them. Your priorities might be different from those of the hardware’s previous owner, so you should not assume that the patches you consider necessary have already been made. That is what makes used IT equipment riskier than brand-new systems.
Security Risk Examples
Hardware also has bugs, and those bugs can be more serious and more difficult to patch. A bug in Intel’s Converged Security and Management Engine (CSME) is one of the most recent examples. The CSME provides low-level cryptographic verifications when the motherboard boots and is the root of trust for everything that follows. Intel has released a partial fix, but even with this fix, the affected CSME chips are still vulnerable to attackers with physical access to the hardware. Intel basically recommends securing physical access to the affected hardware or replacing the chips. Anyone buying a used device with the affected CSME would not know whether or not the partial fix was installed or how well the device was physically secured.
Using unpatched software or hardware is dangerous because hackers are always looking for easy targets. They may prefer to find targets with valuable data, such as payment card or medical billing information, but they can also make money through installing ransomware, adware, or cryptocurrency mining software on any unprotected systems. In recent weeks, we’ve heard reports of hackers attacking vaccine laboratories and hospitals with ransomware.
Authorities in the US and the UK have also reported an increase in malicious actors scanning for known vulnerabilities in VPNs and other remote working tools, hoping that security measures were compromised as more employees were suddenly forced to start working from home. Hackers will seize any opportunity to go after any target, and unpatched vulnerabilities are an easy way in.
Things to Consider --
Used Network Security Appliances
The fundamental problem with credence goods is information asymmetry: the seller knows the good’s quality, but the buyer does not. Snake-oil vendors knew what sort of oil they used in their liniments, but customers couldn’t tell if it was water-snake, rattlesnake, or even mineral oil. With used IT equipment, the previous owner knows how well it was maintained, but the vendor and buyer do not. If you are considering buying used IT equipment, assume the worst. Treat it as if it is unpatched and infected with malware until you have taken steps to ensure it can be trusted.
Evaluate the Risk
Consider whether the risk of used equipment is worth the cost savings. If the equipment will be used to store, process or protect particularly sensitive or valuable data, it might be best to buy new equipment.
Do Your Research
If you do buy used devices, do some research to make sure you avoid buying hardware with known, unfixable vulnerabilities, such as the Intel CSMEs mentioned previously.
Buy from a Reputable Vendor
Preferably one that refurbishes the equipment and offers a warranty.
Do Not Trust the Vendor’s Work
Sanitize the storage media and update the software and firmware yourself.
- You have no idea what data was stored on a server or end-user device. In fact, you may prefer not to, given the astonishing number of people who use company computers to watch pornography. If the storage media is not carefully sanitized, the device might contain information that can cause legal trouble or technical problems. It might contain confidential or private information, such as patient medical records. And finally, the storage media could also hold malware that the previous owner failed to detect or remove.
- Consider using the US National Institute of Standards and Technology (NIST) guidelines for sanitizing media (NIST SP 800-88). For storage devices containing magnetic media, NIST recommends overwriting the media with a fixed pattern, such as binary zeroes. Note that you have to be careful to overwrite the entire storage volume, including areas not mapped to active Logical Block Addressing areas, such as defect areas or currently unallocated areas.
- NIST’s guidelines also describe how to clear flash memory-based devices, solid-state drives, and embedded flash-memory on boards and devices.
- If you are a government contractor, there might even be a chance that you are given a device that contains classified or controlled unclassified information (CUI), even though the US government has well-established procedures for sanitizing storage media before equipment is recycled. NIST does describe procedures for sanitizing or destroying media containing classified information, but it would probably be best to seek guidance from your organization’s security officer rather than handling this on your own.
Take steps to remove any malware that may have been installed before you purchased the equipment.
- Malware can be very difficult to find and remove. Many types of malware use rootkits to avoid detection and removal. Rootkits provide hidden, privileged access to a computer, giving an attacker the ability to remotely execute files and change system configurations. Some commercial products can find and remove some (but not all) rootkits. You may also be able to detect a rootkit by looking for unusual activity on a computer system, scanning for known malware signatures, or analyzing memory dumps, but that sort of analysis is time-consuming. Wiping the system and reinstalling all the software, including the operating system, and updating the BIOS is often the fastest, cheapest, and most effective way to remove a malware infection.
Update Software and Security Patches
Check all the software to make sure you are running the latest versions and that you have installed any necessary security patches.
The principle “Trust but verify” may have worked for Ronald Reagan and Mikhail Gorbachev during Cold War-era arms control negotiations, but when it comes to buying used IT equipment, “trust nothing” works better. No matter how reputable your vendor is, you should not trust used network appliances and devices unless you have wiped the storage media and installed the latest software and security patches.