When the very companies that provide us security technology are themselves either getting hacked or hamstrung with security flaws, how can we be sure that our computers have any protection at all?
If the security vendors are indeed as helpless as they seem in the face of APTs (advanced persistent threats), why are we shelling out money to them? Are they unable to provide anything beyond the most basic security?
Security Vendors Get Pwned
Back in mid-March, RSA, the security vendor that hosts an IT security conference every year, had its systems breached, sparking frenzied checks of IT systems by its large corporate clients.
In late March, YGN Ethical Hacker Group announced it had found flaws on a McAfee website that left it vulnerable to cross-site scripting and other attacks.
McAfee, you’ll recall, is the vendor that provides additional security for Facebook.
On May 4, LastPass, a company that offers a service safeguarding and managing subscribers’ online passwords, said hackers could have broken into its database and stolen information on up to 1.25 million accounts.
LastPass immediately forced subscribers to change their master passwords and confirm their identities when they logged in.
Where Have All the Experts Gone?
RSA’s systems were apparently breached by spearphishing. This is a targeted form of attack in which selected victims are sent emails crafted to maximize the chance that they’ll read them and either click on links embedded in the emails or attachments to the messages.
Attacks like this are almost impossible to stop because it’s difficult to assess the legitimacy of such messages.
Unlike the RSA attack, the McAfee website flaw was due to poor quality control. It allowed cross-site scripting, a well-known method of attack that security vendors, including McAfee, have been warning about for years.
How could this happen?
“The cross site scripting issue is something we should have caught, and it was reported to us,” McAfee spokesperson Joris Evers told TechNewsWorld. “There was a breakdown in process” and McAfee is working to ensure it doesn’t recur, Evers said.
RSA “will pass on commenting for this story,” company spokesperson Alison Parker told TechNewsWorld.
LastPass Leaps on Possible Breach
Lastpass’ business is slightly different from the other two firms mentioned above. It’s a password management system. It stores users’ passwords in a secure online location, enabling them to more easily browse the Web and pass through security checkpoints.
Several weeks ago, the company noticed some short-lived anomalies in its outgoing network traffic from one of its non-critical machines. LastPass couldn’t identify the root cause. When it found a similar anomaly in incoming traffic from one of its databases, it swung into action.
“An abundance of caution is what led us to take the steps we did — lock down all accounts to where they’d been used before and force a password change, or require customers to tell us they were comfortable with the strength of their password,” Joe Siegrist, CEO of LastPass, told TechNewsWorld. “We wanted to protect everyone as much as we possibly could.”
However, Siegrist pointed out that LastPass’s main line of defense is that it doesn’t have anything but the email and encrypted data of its 1.25 million subscribers.
“Most of our customers were relaxed about the news [of a possible break-in], knowing how many millions of years of CPU time it would take to break into any data LastPass had stored for them,” Siegrist stated.
Wrestling With APTs
Expect hackers to continue going after IT security vendors.
“The IT security landscape is the Wild Wild West, and the sheriffs have the biggest targets painted on their chests,” LastPass’s Siegrist said.
When hackers go after IT security providers such as RSA, their attacks have an impact far beyond the vendors’ immediate customers.
Such attacks “don’t just pose an impact risk to the company alone or to its customers’ assets, but to the security those customers are seeking to provide to their own customers and personnel,” Scott Crawford, managing research director at Enterprise Management Associates, told TechNewsWorld.
However, few truly comprehend the challenge of dealing with “the more adaptive, more tenacious or well-resourced adversary who targets just this sort of strategic objective,” Crawford stated.
“We do not yet fully understand what it may mean to operate under an assumption of compromise already present in the environment,” Crawford pointed out. “We are far too often stuck in the past when it comes to a view that prevention should be our only strategy.”
In other words, building a fence around our IT systems to keep the bad guys out should no longer be our only response; we also have to act as if we’re already taking enemy fire or have a mole in our midst.
Is It Worth Paying Security Vendors?
Security vendors “are still providing considerable risk mitigation,” Suzanne Magee, CEO of TechGuard, pointed out. In fact, the lapses in security they suffer “will only encourage innovation and competition and improved cyber products and services in the market,” she told TechNewsWorld.
“Banks are broken into, but we still put our money in them rather than keeping it under our mattresses,” Magee said.