Holes in the armor: How secure is your cybersecurity?
Defense products’ vulnerabilities get tougher scrutiny in 2017
By Jayendra Pathak, Special to ThirdCertainty
Security predictions often focus on nation-states and geopolitics, novel strains of malware, or emerging attack surfaces arriving with the Internet of Things (IoT). While important, these issues overshadow a particularly serious risk deserving far more scrutiny in 2017: The security of cybersecurity products themselves.
In a physical analogy, breaking into a secure facility via the guardhouse is hard to imagine, but this is what attackers do, in effect, when they discover or acquire vulnerabilities in keystone security products guarding the perimeter, endpoint and other network tiers.
Related video: SMBs buying cyber insurance to sleep better
Security products are always assumed to be built with the most secure code imaginable, but no code is perfect. Moreover, wider knowledge of how to exploit flaws in security appliances and other common products makes this an attractive path for attackers. A closer look at pivotal weaknesses disclosed over the past year shows why this trend is likely to escalate.
The tip of the iceberg
As with vulnerabilities in any technology product, we must assume that the security industry’s true vulnerability count is much larger than what has been disclosed—and 2016 revealed some eye-popping cases. For example, Google’s Project Zero team disclosed severe vulnerabilities in Symantec products which, if left unpatched, could let an attacker compromise machines with malicious attachments and links a victim would not even need to click or open.
Later, the mysterious Shadow Brokers group publicly dumped a trove of exploits, giving users the ability to circumvent firewalls, VPNs, and other security layers. Lost in endless speculation over whether Shadow Brokers disclosed attack tools used by the National Security Agency—and whether Russia or an NSA insider was to blame—is the point that today it does not require nation-state resources to find security product vulnerabilities. As these products become cheaper, and as they incorporate more widely used code and turn up in more parts of the world, the veil of obscurity that shrouds their inner workings and weaknesses is lifting.
Between high-profile examples like these, ongoing independent testing of security products with major market share reveals common stumbling areas. Sometimes, the issue is an actual vulnerability in the software itself. In other cases, security products are fooled by basic evasions or fail to maintain a secure state under conditions like heavy traffic loads. Either case is alarming for security teams relying on these defenses.
Exploiting the path of least resistance
Several factors are driving disclosures. First is sheer communications—a greater number of researchers are comparing notes, scoring bug bounties, presenting at conferences, and notifying vendors. Then there is the path of opportunity and least resistance. As developers of popular operating systems, browsers and other applications improve their security game, people who used to make a living finding bugs in these long-exploited desktop apps are moving on to greener pastures. Increasingly, this leads to security products, where assumptions provide cover and discoveries instantly command credibility, notoriety and profit.
The rate at which security product vulnerabilities are emerging continues to rise. With today’s bumper crop of new and expanding security products—and ongoing interest in their weaknesses and imperfect software—expect more turbulence ahead.
Security buyers need to be upfront with vendors and ask hard questions about quality assurance and product integrity support. At the same time, they should take the critical steps necessary for patching or reconfiguring their defenses on short notice. We should all champion responsible disclosure that helps the security community stay ahead of the worst that can happen when holes are exploited in the very tools we rely on to protect other vulnerable code. As last year’s drumbeat of security product weaknesses continues to reverberate, this is a crucial front to monitor in 2017.
More stories related to cybersecurity:
Government continues to refine guidelines for creating more secure networks
Answers to your security questions aren’t so secure
As threats multiply, cyber insurance and tech security industries start to merge