You’ve spent months with your team designing your company’s security strategy-- you’ve demoed and chosen vendors, spent money, and assured your users that this investment will pay off by keeping their business safe. The next thing you know, the very software you’ve put in place to protect your data is exposing it instead. This nightmare scenario has turned into reality for some companies when major security software was compromised or had fatal flaws that exposed sensitive information to unknown third parties. Just because you sell security doesn’t mean you always practice it.
In June of 2015, LastPass, a cloud based password management company, was hacked. Email addresses, password reminders and encrypted passwords themselves were compromised. While not an enterprise product, many customers were forced to change their passwords, and more importantly, reconsider whether utilizing a password management solution was more or less secure than using individual passwords and having some way to remember them. We expect security solutions to be secure themselves; it seems self-evident. But software is software and data breaches happen, even to cybersecurity organizations.
FireEye faced a situation in September of 2015 where an independent security researcher had claimed to discover four critical 0-day vulnerabilities in their software, allowing login bypassing and remote code execution. It turned out that an Apache web server running PHP as root allowed one of the exploits. Not running web servers as root is security 101 for Linux sysadmins, many of whom reminded FireEye of that on social media. FireEye customers pay FireEye to protect them from 0-day vulnerabilities. Not only was their software the culprit of several vulnerabilities itself, but according to the researcher, FireEye refused to acknowledge reports of the vulnerabilities for over a year, meaning these exploits were available on production appliances during that entire stretch.
No software company wants to discover code in its own application that it didn’t know was there, but that’s exactly what happened to Juniper Networks in December of 2015. Juniper’s NetScreen firewall had the affected software, going back to at least 2012. The unauthorized code “could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections,” according to Juniper’s CIO Bob Worrall. The nature of the code implies an original “sophisticated nation-state attacker,” but now that the exploit has come to light, it has been shown that a master password can be obtained for unpatched devices by any malicious actor. On the upside, this was discovered because Juniper ran an internal code review; however, it begs the question how often they do such a thing if the unauthorized code had lived on their systems for three years.
Catalyzed by the Juniper disclosure, Cisco ordered its own internal code review in January of 2016. During this, they found several security issues, including two critical flaws, one in the Aironet-1800 series and one in their flagship security product ISE. Another vulnerability affected the Cisco Wireless LAN controller and would allow an attacker to take over the device completely. All of these issues were discovered in-house, but only because Cisco was prompted by Juniper’s “unauthorized code” findings to review its own products. These vulnerabilities existed in the devices for an unspecified amount of time in the wild and that they were discovered in-house and not by malicious parties ultimately comes down to luck.
One of the leading anti-virus makers, Kaspersky announced in June of 2015 that they had suffered a sophisticated data breach, but had detected it at an early enough stage that the data exposed was “in no way critical to the operation” of its products. More detailed information reveals that attackers compromised Microsoft installer files to spread the malware on workstations inside the company. Fortunately no sensitive data was lost in this incident, but Kaspersky’s reliance on vulnerable Microsoft software shows how a relatively small security flaw can snowball into a company-wide fiasco in the blink of an eye. Kaspersky's site lacks sitewide SSL, dropping the score significantly.
Back in 2012, Symantec faced what is now a common scenario-- the third party data breach. But this time, hackers compromised proprietary source code, not user information. The source code finally found its way to BitTorrent tracker The Pirate Bay, and thus to any interested parties on the internet. Symantec downplayed the significance of the leak, stating that the code was for older versions of their products and did not affect their current consumer offerings. Regardless of what information could have been gleaned from that source code to exploit other Symantec products, the fact that a third party held, and lost, valuable company information highlights the importance of using only those vendors with demonstrable security.
At the beginning of 2016, anti-virus provider Trend Micro was informed by Google Project Zero that their popular anti-virus software had a critical security flaw that could allow a remote attacker to install malware and compromise passwords, even if they were encrypted. Trend Micro released a patch after the announcement, obviously, but users of their anti-virus software were actually more at risk having it installed before Google disclosed the vulnerability, which they described as "ridiculous." This was one of the more serious breaches affecting anti-virus software, but Trend Micro was saved from an even worse incident by Google's white hats. Google did what Trend Micro should have done itself: regular security testing.
In reality, security through obscurity usually means that the only people who find obscure resources are the people looking to exploit them for a way in.
Internet hacks, sophisticated malware, 0-day exploits, third party data breaches-- security software faces the same threats as any software-- how they handle their security practices, from how their appliances work to whether their code is vulnerable, determine whether or not they can withstand these threats when they manifest. Sloppy build or configuration practices can lead directly to a data breach for any customer using the affected software.
As Juniper and Cisco found out in the situations above, companies should conduct regular code reviews to look for possible vulnerabilities. It has also benefited these companies to do so openly and share their findings with the tech community, as such revelations can push other companies into following suit and tightening up the security on their own products before facing a major breach. No software will ever be perfect, but as continuously tested resiliency becomes an integral part of software development, fewer vulnerabilities will be discovered by people outside the development team. UpGuard offers continuous visibility into your configurations and the first ten nodes are free.
The Healthcare Security Epidemic Cybersecurity Incidents Cost Companies Hundreds of Billions in 2015 Understanding Risk in the 21st Century
Over 113 million medical records were compromised in 2015. That's one record for every 3 Americans.
Read Article >
When talking about incidents that cost hundreds of billions of dollars in the last year alone, it only makes sense to implement a more quantified, objective measurement to scope cyber insurance.
Read Article >
And as we enter 2016, the risk of data breaches in particular threatens to hamper business innovation.
Read Article >