Cybersecurity news items are usually one of two things: your "run-of-the-mill" data breach announcement or vulnerability alert, usually software-related. This week's Symantec fiasco falls into the latter bucket, but it isn't your average vulnerability alert. In fact, this is the one that most enterprise security professionals have been dreading and horrified to hear: that your security defenses are not only ineffective—they can be used against you by attackers.
This isn't the first time that a security product was found to be exploitable, but this latest string of flaws discovered by a researcher at Google's Project Zero takes the cake when it comes to severity. One particularly nasty flaw enables attackers to hijack a core Symantec malware detection component to facilitate the attack; another flaw allows attackers to compromise an entire enteprise infrastructure through email without victims having to open any files.
Symantec has since issued patches for the vulnerabilities, but some products cannot be updated automatically and must be patched manually. Here's a partial list of affected products:
- Legacy Norton products
- Symantec Endpoint Protection
- Symantec Email Security
- Symantec Protection Engine
- Symantec Protection for SharePoint Servers
More information can be found at CVE-2016-2208 and How To Compromise the Enterprise Endpoint at Project Zero.
Interestingly, Project Zero security researcher Tavis Normandy helped Symantec fix a glitch in one of its security products back in May. But he had this to say about this new string of security flaws:
"These vulnerabilities are as bad as it gets. They don't require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible."
Security products run at the highest privilege levels possible, making them ideal exploitation targets for gaining system access. So in Symantec's case, the product actually weakened its customer's security postures.
A few days ago, Taiwanese computer manufacturer Acer disclosed that "a flaw" in their online store allowed hackers to retrieve almost 35,000 credit card numbers, including security codes, and other personal information. How secure are these digital outlet stores, and what are the chances that if you use them you'll end up like Acer's customers?
The End of Enterprise Security
Symantec's failure is only a sign of what security researchers and professionals have been asserting for some time now—that enterprise security is lost cause. You may recall last year's cyber attack on security vendor Kaspersky Lab's corporate networks, one that was carried out for the sole purpose of espionage. If security firms cannot protect their own IT assets, what hope is there in a threat landscape where cybercriminals are smarter than the security experts?
The answer to not just surviving, but thriving in today's digitized environments, is resilience: combining the proper continuous security mechanisms with instruments like cybersecurity insurance coverage for offsetting digital risk. When it comes to data breaches, the odds are not in your favor. CSTAR is the first accepted standard used by insurance companies to quantify and evaluate cyber risk, and when coupled with UpGuard's resilience platform for detecting vulnerabilities, misconfigurations, and security gaps, give organizations the means to navigate freely in increasingly hostile digital waters.
Inside Microsoft’s Open Source And DevOps Initiatives For The Enterprise UpGuard 101: Verifying Windows Groups Top Retailers Who Should Know Better
If you're one of its 140 million cardholders around the globe, American Express wants you to know that your data is safe. The data breach recently announced by the U.S.' second largest credit card network reportedly involved a partner merchant and not Amex itself.
Read Article >
You’ve spent months with your team designing your company’s security strategy-- you’ve demoed and chosen vendors, spent money, and assured your users that this investment will pay off by keeping their business safe.
Read Article >
The following is a list of 11 online retailers who really should know better when it comes to security.
Read Article >