Keely Wilkins has over 30 years of experience in Information Technology and Information Security with proven skills in support, operations, engineering, analysis, management, and sales.  Prior to Check Point, she worked for Fortune 50 enterprises, higher education, medical, telco, MSSP, finance and VAR organizations. Keely holds a MS in Cybersecurity from Florida Institute of Technology, the GIAC GLEG (Law of Data Security and Investigations) certification, and presented at the SANS Institute 2019 Supply Chain Security Summit. Keely joined Check Point Software Technologies in 2019 as the Pre-Sales Security Engineer for the Commercial sector in Southern Virginia and was recently inducted into the Office of the CTO Evangelist Guild.

In this outstanding interview, Keely Wilkins discusses the meaning of grey market gear, how grey market gear may appear tempting to some organizations -especially as a supply chain issue work-around-  and she discusses why the grey market path is to be avoided. These are insights that you won’t want to miss!

What is grey market gear?

Grey market gear is any device acquired through non-standard, unauthorized channels.

Nearly anything can be found online for an appealing price. I have seen all sorts of IT and OT equipment offered for sale through unauthorized channels: servers, routers, switches, load balancers, firewalls, medical devices, industrial gear, and more.

The safest way to acquire technical devices is either directly from the manufacturer or through an authorized reseller.

Who is likely to seek out grey market gear and where might they find it?

Grey market gear appeals to a variety of buyers.  Among them are:

  • Individuals trying to build a home lab for personal use
  • Small-to-medium sized businesses in need of functionality at a seemingly affordable cost
  • Enterprise-level employees trying to expedite a project or who want a swap-able device in case of a failure

There is no shortage of online marketplaces selling used, new, or stolen devices. Devices are also privately sold, traded, or donated between individuals.

The oddest place I have seen ‘suspect’ equipment was in a pawnshop in the Florida Keys, approximately 15 years ago. There was an AS400 for sale in the back of the shop; the asking price was in the $300 range.

Why is this a bad practice?

For most, purchasing equipment via the grey market is a means by which to save money, learn new technology, and/or help their organization.  The intention is good, but the cost is significantly higher than the price tag.

The practice is bad because you inherit a myriad of risks while removing numerous programmatic and legal safeguards.  Additionally, you rarely get the actual functionality you were seeking.

Risk examples:

  • If the device was stolen and you buy it, you are now in possession of stolen property – which is a crime
  • The device cannot be used because the manufacturer has built-in safeguards to prevent unauthorized use of the equipment
  • The device is functional, but the kernel, firmware, and/or software is counterfeit or it’s preloaded with malware
  • Risk is introduced not just to the buyer, but to every individual or organization that they transact with electronically

Lost safeguards, examples:

  • No support, no warranty and no recourse
  • Device is not covered by property or cyber insurance

Do you know of situations where grey market gear has been exploited?

One example I can share is of a small ISP who had contracted with a third-party to perform specific technical services. The origin of their equipment was unknown and the result was that they introduced malware into the ISPs environment. The malware resulted in over $1M in lost revenue (within days) as well as quite an investment in investigation, troubleshooting, remediation, and service restoration.  As an ISP, they provided internet connectivity to the whole local community: residents, schools, hospitals, businesses, etc.. Law enforcement took over the investigation.

I cannot say whether the third-party had malicious intent or whether they were simply trying to be frugal by employing grey market gear. Regardless of intent, the situation did not end well for them.

It sounds like this is an issue with some history. Why is it important to revisit it now?

This is an old issue. It is important to revisit it now because the motivators have changed. Historically, the motivator to get grey market gear was to save money. Today, there is an extra motivator – supply chain issues. Some technology vendors are experiencing delivery delays of up to 500 days (approx. 16.5 months). This delays projects, it suspends growth, and it makes people antsy.

Check Point is fortunate to have forecasted supply needs to meet the demands of our existing and new customers.  At this time, we are not experiencing delays in order lead times.

Many vendors are on the flip side of the situation and those delays impact not only the technical project at hand, but also the business problems those projects are intended to solve.  In other words, a route/switch delivery delay may affect the ability to secure an environment because the existing network architecture is not suitable for the new security gear.

How do you mitigate these risks?

We always have four options when evaluating risk: Avoid, Mitigate, Transfer, or Accept. The right answer to grey market gear is to AVOID the risk. Do not engage, it is not a bargain; it will not get you out of a bind.

Can Check Point appliances be exploited in this way?

Anything is possible, but I can say with confidence that Check Point takes a strong stance to mitigate this risk through programmatic and procedural requirements.

If someone has grey market gear in their network, what should they do?

Disconnect it from the network, wipe the drives, and disable the device from reuse.

For additional insights from Keely Wilkins, click here. Lastly, to receive cutting-edge cyber security news, insights, best practices and analyses in your inbox each week, sign up for the newsletter.