What's Eating Internet Security?
Jul 15, 2014 7:06 AM PT
It's a given that hackers can and do penetrate websites with laughable ease, ranging from those of retailers to those of the United States government.
It certainly doesn't help the security-minded to know that the U.S. National Security Agency and other countries' spy agencies, including the UK's GCHQ and the West German intelligence agency, are tapping into online communications at will. In fact, the Germans have set aside US$136 million for that purpose.
Symantec's recent admission that antivirus software is dead didn't help matters, although it only echoed what many AV experts have been saying for years and what NSS Labs has pointed to in various reports over the last several years.
Microsoft's July Patch Tuesday may have been relatively light, but the company's June Patch Tuesday contained almost 60 remote execution flaws in the six versions of Internet Explorer and the components that render fonts on PCs, and one of the IE bug reports tackled was more than 180 days old, Kurt Baumgartner, senior security researcher at Kaspersky Lab, pointed out.
The battle against the decade-old Pass-the-Hash Technique, aka Putter Panda, continues, with Crowdstrike last month disclosing that it was used in an attack from Shanghai, China, probably on behalf of the Chinese People's Liberation Army.
When Security Dinosaurs Ruled the Earth
Just what is going on here? Can enterprises be safe? When AV and other security experts advised enterprises to install AV software, then intoned that it's not a question of if you get hit by a breach but when, were they secretly snickering to themselves? Have CEOs of enterprises been hung out to dry by the security industry?
Security products are built around using outdated techniques, Randy Abrams, a research director at NSS Labs, told TechNewsWorld.
Information security has evolved over the past 40 years "in a way that has created a layered model that has added capabilities but deviates little from its core design," he said. Security "chases the last known problem, while attackers focus on the next possible vector."
Are Vendors Serving Up Flawed Software?
Given the vast and increasing number of security vulnerabilities being discovered in operating systems, browsers and applications, the question of whether OS and software companies knowingly have served up flawed products might be raised. How else can we explain away the repeated reports of flaws and vulnerabilities in our most-used applications and OSes?
The problem may be more complex than it seems, said Roberto Martinez, a security researcher at Kaspersky Lab. Software developers have to maintain a balance between security, functionality and ease of use when developing an application.
"If priority is given to the functionality instead of application security, then the risk of a compromise is elevated. The complexity in requirements and architecture to run a program can be a factor too," Martinez told TechNewsWorld.
"The primary reason why applications are insecure is because developers generally are not security experts," Chris Morales, practice manager, architecture and infrastructure, at NSS Labs, told TechNewsWorld.
Many Parts Make Life Hell
Many widely used PC applications and operating systems have millions of lines of code, and "it's a statistically proven fact that new vulnerabilities are likely to get introduced per few thousand lines of code," Rahul Kashyap, chief security architect at Bromium, pointed out.
Still, rounding up developers and giving them security training is not necessarily the answer.
Size is one issue, and the complex interactions between systems constitute another, Seth Hanford, manager of Cisco's Threat Research Analysis & Communications, told TechNewsWorld.
Further, researchers constantly are discovering new ways to attack existing systems, "not because computers are better or faster, but just because of new investigations, insight or inspiration," he said. We could be discovering more security flaws because we're now paying more attention to security.
As for Pass-the-Hash, that's "an architectural part of Microsoft Windows," Hanford stated. "Truly fixing that problem will require a change in the way Windows works."
Other Issues Affecting Security
Inadequate security training for developers, along with deadlines and budget constraints, may contribute to the existence of security flaws, Jerome Segura, senior security researcher for Malwarebytes, told TechNewsWorld.
Further, quality assurance testing "is often focused on finding typical bugs but not necessarily security vulnerabilities," he pointed out.
Third-party libraries that may contain vulnerabilities themselves are a problem, Segura remarked, pointing to the Heartbleed flaw in OpenSSL that impacted hundreds of applications.
The nature of multipurpose OSes "makes it nearly impossible to effectively secure them," NSS' Abrams remarked.
Security and risk professionals are considering replacing third-party AV tools with native OS AV augmented with one or more third-party alternatives such as application whitelisting, application privilege management, and endpoint execution isolation, according to Forrester.
However, "blacklisting is too reactive" and whitelisting "is not practical for end users," Bromium's Kashyap told TechNewsWorld.
"We need tools -- programming languages, Web frameworks, even configuration guides -- that make it hard to do the wrong thing," Cisco's Hanford suggested. "We need more adoption of systems like Web reputation. As a security community, we need to do more with efforts like the Linux Foundation's Core Infrastructure Initiative to identify the things that are hard to get right, important to solve, and critical to Web security, and ensure they are well and widely supported."
Security vendors are coming up with new types of products. For example, Malwarebytes has launched Malwarebytes Anti-Exploit, a technology it claims will protect Windows PCs against both known and unknown zero-day exploits.
In the meantime, enterprises should implement systems to monitor their networks and servers, detect anomalies, and identify any security incidents, Kaspersky's Martinez suggested. Existing applications should be constantly audited for flaws.
And, of course, systems should be patched and firewalls maintained.