Holes in the armor: How secure is your cybersecurity?

Defense products’ vulnerabilities get tougher scrutiny in 2017

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Secu­ri­ty pre­dic­tions often focus on nation-states and geopol­i­tics, nov­el strains of mal­ware, or emerg­ing attack sur­faces arriv­ing with the Inter­net of Things (IoT). While impor­tant, these issues over­shad­ow a par­tic­u­lar­ly seri­ous risk deserv­ing far more scruti­ny in 2017: The secu­ri­ty of cyber­se­cu­ri­ty prod­ucts themselves.

ed-note_nss-labs_jayendra-pathakIn a phys­i­cal anal­o­gy, break­ing into a secure facil­i­ty via the guard­house is hard to imag­ine, but this is what attack­ers do, in effect, when they dis­cov­er or acquire vul­ner­a­bil­i­ties in key­stone secu­ri­ty prod­ucts guard­ing the perime­ter, end­point and oth­er net­work tiers.

Relat­ed video: SMBs buy­ing cyber insur­ance to sleep better

Secu­ri­ty prod­ucts are always assumed to be built with the most secure code imag­in­able, but no code is per­fect. More­over, wider knowl­edge of how to exploit flaws in secu­ri­ty appli­ances and oth­er com­mon prod­ucts makes this an attrac­tive path for attack­ers. A clos­er look at piv­otal weak­ness­es dis­closed over the past year shows why this trend is like­ly to escalate.

The tip of the iceberg

As with vul­ner­a­bil­i­ties in any tech­nol­o­gy prod­uct, we must assume that the secu­ri­ty industry’s true vul­ner­a­bil­i­ty count is much larg­er than what has been disclosed—and 2016 revealed some eye-pop­ping cas­es. For exam­ple, Google’s Project Zero team dis­closed severe vul­ner­a­bil­i­ties in Syman­tec prod­ucts which, if left unpatched, could let an attack­er com­pro­mise machines with mali­cious attach­ments and links a vic­tim would not even need to click or open.

Lat­er, the mys­te­ri­ous Shad­ow Bro­kers group pub­licly dumped a trove of exploits, giv­ing users the abil­i­ty to cir­cum­vent fire­walls, VPNs, and oth­er secu­ri­ty lay­ers. Lost in end­less spec­u­la­tion over whether Shad­ow Bro­kers dis­closed attack tools used by the Nation­al Secu­ri­ty Agency—and whether Rus­sia or an NSA insid­er was to blame—is the point that today it does not require nation-state resources to find secu­ri­ty prod­uct vul­ner­a­bil­i­ties. As these prod­ucts become cheap­er, and as they incor­po­rate more wide­ly used code and turn up in more parts of the world, the veil of obscu­ri­ty that shrouds their inner work­ings and weak­ness­es is lifting.

Between high-pro­file exam­ples like these, ongo­ing inde­pen­dent test­ing of secu­ri­ty prod­ucts with major mar­ket share reveals com­mon stum­bling areas. Some­times, the issue is an actu­al vul­ner­a­bil­i­ty in the soft­ware itself. In oth­er cas­es, secu­ri­ty prod­ucts are fooled by basic eva­sions or fail to main­tain a secure state under con­di­tions like heavy traf­fic loads. Either case is alarm­ing for secu­ri­ty teams rely­ing on these defenses.

Exploit­ing the path of least resistance

Sev­er­al fac­tors are dri­ving dis­clo­sures. First is sheer communications—a greater num­ber of researchers are com­par­ing notes, scor­ing bug boun­ties, pre­sent­ing at con­fer­ences, and noti­fy­ing ven­dors. Then there is the path of oppor­tu­ni­ty and least resis­tance. As devel­op­ers of pop­u­lar oper­at­ing sys­tems, browsers and oth­er appli­ca­tions improve their secu­ri­ty game, peo­ple who used to make a liv­ing find­ing bugs in these long-exploit­ed desk­top apps are mov­ing on to green­er pas­tures. Increas­ing­ly, this leads to secu­ri­ty prod­ucts, where assump­tions pro­vide cov­er and dis­cov­er­ies instant­ly com­mand cred­i­bil­i­ty, noto­ri­ety and profit.

The rate at which secu­ri­ty prod­uct vul­ner­a­bil­i­ties are emerg­ing con­tin­ues to rise. With today’s bumper crop of new and expand­ing secu­ri­ty products—and ongo­ing inter­est in their weak­ness­es and imper­fect software—expect more tur­bu­lence ahead.

Secu­ri­ty buy­ers need to be upfront with ven­dors and ask hard ques­tions about qual­i­ty assur­ance and prod­uct integri­ty sup­port. At the same time, they should take the crit­i­cal steps nec­es­sary for patch­ing or recon­fig­ur­ing their defens­es on short notice. We should all cham­pi­on respon­si­ble dis­clo­sure that helps the secu­ri­ty com­mu­ni­ty stay ahead of the worst that can hap­pen when holes are exploit­ed in the very tools we rely on to pro­tect oth­er vul­ner­a­ble code. As last year’s drum­beat of secu­ri­ty prod­uct weak­ness­es con­tin­ues to rever­ber­ate, this is a cru­cial front to mon­i­tor in 2017.

More sto­ries relat­ed to cybersecurity:
Gov­ern­ment con­tin­ues to refine guide­lines for cre­at­ing more secure networks
Answers to your secu­ri­ty ques­tions aren’t so secure
As threats mul­ti­ply, cyber insur­ance and tech secu­ri­ty indus­tries start to merge