Is Symantec's Latest Failure the End of Enterprise Security?
Updated on April 30, 2018
Cybersecurity news items are usually one of two things: your "run-of-the-mill" data breach announcement or vulnerability alert, usually software-related. This week's Symantec fiasco falls into the latter bucket, but it isn't your average vulnerability alert. In fact, this is the one that most enterprise security professionals have been dreading and horrified to hear: that your security defenses are not only ineffective—they can be used against you by attackers.
This isn't the first time that a security product was found to be exploitable, but this latest string of flaws discovered by a researcher at Google's Project Zero takes the cake when it comes to severity. One particularly nasty flaw enables attackers to hijack a core Symantec malware detection component to facilitate the attack; another flaw allows attackers to compromise an entire enteprise infrastructure through email without victims having to open any files.
Symantec has since issued patches for the vulnerabilities, but some products cannot be updated automatically and must be patched manually. Here's a partial list of affected products:
Interestingly, Project Zero security researcher Tavis Normandy helped Symantec fix a glitch in one of its security products back in May. But he had this to say about this new string of security flaws:
"These vulnerabilities are as bad as it gets. They don't require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible."
Security products run at the highest privilege levels possible, making them ideal exploitation targets for gaining system access. So in Symantec's case, the product actually weakened its customer's security postures.
The End of Enterprise Security
Symantec's failure is only a sign of what security researchers and professionals have been asserting for some time now—that enterprise security is lost cause. You may recall last year's cyber attack on security vendor Kaspersky Lab's corporate networks, one that was carried out for the sole purpose of espionage. If security firms cannot protect their own IT assets, what hope is there in a threat landscape where cybercriminals are smarter than the security experts?
The answer to not just surviving, but thriving in today's digitized environments, is resilience: combining the proper continuous security mechanisms with instruments like cybersecurity insurance coverage for offsetting digital risk. When it comes to data breaches, the odds are not in your favor. CSTAR is the first accepted standard used by insurance companies to quantify and evaluate cyber risk, and when coupled with UpGuard's resilience platform for detecting vulnerabilities, misconfigurations, and security gaps, give organizations the means to navigate freely in increasingly hostile digital waters.
Misconfigurations are an internal problem that emanate from within the IT infrastructure of any enterprise; no hacker is necessary for massive damage to occur to digital systems and stored data. And the problem is pervasive, with Gartner estimating anywhere from 70% to 99% of data breaches result not from external, concerted attacks, but from internal misconfiguration of the affected IT systems.