iLOs and iDRACs should be on a management VLAN, vulnerable or not.
Vulns 'like a hacker camped in the server room' all across the net
Security holes in server management technology create hacking opportunities almost on par with direct physical access, claims Metasploit creator HD Moore. The issue arises from security shortcomings involving baseboard management controllers (a type of embedded computer used to provide out-of-band monitoring for desktops and …
-
-
-
Friday 5th July 2013 08:41 GMT Anonymous Coward
Re: Devs need to start thinking remote management -> data link -> encryption
I'd seriously point that finger elsewhere. If it's an afterthought, then it was never a baseline requirement as it was in all the projects where I was lead, manager, then CIO. And then there's the disquieting little problem of the lack of security training, no funds for security training, and no experience in applying the training. Having someone come in after the fact, say the CSO/CISO (if they even exist) yelling at the devs for not requiring secure programming technologies is far too late and accomplishes nothing but some security theatre.
Up until some of the suits get hauled off to prison for shoddy products that kill people as a result of poor security, nothing will change. "The prospect of being hanged in a fortnight concentrates the mind wonderfully," to probably mangle a quote, is the sad and sorry truth. In IT, out of IT, in military, government, and business, if I screwed up, well the results would not have been at all fun. How about some personal accountability? We do it with almost any other product?
-