Tuesday, February 12, 2013

Do as I say, not as I do. RSA, Bit9 and others...

by Ian Amit - @iiamit

You thought you had everything nailed down. Perhaps you even bypassed the "best practice" (which would have driven you to compliance and your security to the gutter) and focused on protecting your assets by applying the right controls in a risk-focused manner.

You had your processes, technologies, and logs all figured out. However, you still got “owned”. Do you know why? You are still a little naive.

You placed your trust in big-name vendors. You listened to them, you were convinced by their pitch, and maybe you even placed their products through rigorous testing to make sure they actually delivered. However, you forgot one thing. The big-name vendors do not always have your best interest at heart.

Such companies will preach and guide you through to the righteous passage. However, when you look behind the curtain, the truth is revealed.

The latest Bit9 compromise is not too surprising. Bit9 customers are obviously very security aware, as they opted to use a whitelisting product to their computing assets. As such, these customers are most likely high-value targets to adversaries. With acute security awareness, these customers probably have more security measures and practices to mitigate and protect themselves from attackers. In other words, if I were to scope out such a target for an attack, I would have to focus on supply chain elements that were weaker than the target itself (much in the same manner we teach our Red-Team Testing classes).

RSA was such a target. there were others. Bit9 was also target for some of its customers.

Color me surprised.

If you are a vendor that gloats over the latest compromise, please do not bother. If you have not gone through a similar threat model, your products are either not good enough (hence your customers are not high-value targets), or your own security is not up to speed and you have not realized yet that you have been breached.

If you are a security consumer and therefore care a bit more, do not make any assumptions about your security vendors. They are not the target. You are. As such, they have more generalized security practices than you do. Account for this in your security strategy, and never fully trust anything outside of your control span. It is your responsibility to hold such vendors to at least their own standard and demand oversight and proof that they do so.

1 comment:

  1. Well put "big-name vendors do not always have yout best interest at heart".

    They lack vision, and vision is typically what is in your mind for assuring the operating environments security.

    However, I am strong believer for encryption. Organizations have not adopted use of encryption smartly, nor many of the capabilities support organizations vision either.

    I recently crafted a "legitimate" idea for protecting certain closed-loop environments for malware accessing the assets.

    By putting this otherway around, securing the environment with encryption for NOT the data leakages, but protecting the environment for having anything else than specifically encrypted assets. Yes, sounds like whitelisting but goes beyond it.

    I believe that the depth of organizations security and protecting the assets gain more and more interest in near future. Lacking a solid strategy in-depth is one of the death sins.