Should you trust your security software?

The complaint that security is broken isn’t new and even industry insiders are joining the chorus. Companies spent an estimated $75 billion last year on security products and yet cyber attacks and data breaches are still a common occurrence. Now, we’re finding that security tools themselves have vulnerabilities that are putting organizations at risk.

Given that vulnerabilities in software are the root cause of most attacks and security tools are inherently intrusive in order to function, flaws in those products are particularly destructive and dangerous — exposing organizations to complete compromise.

Recently, Google’s Project Zero security research team uncovered a bunch of critical vulnerabilities in two dozen enterprise and consumer antivirus security products from Symantec and its Norton brand. The flaws could allow attackers to completely compromise computers by sending emails that could unleash malicious self-replicating code into networks even if the emails aren’t opened and links aren’t clicked. “These vulnerabilities are as bad as it gets,” researcher Tavis Ormandy wrote in his blog post.

This is just the latest in a series of discoveries of security problems in security software and appliances that millions of people and organizations rely on to keep them safe. Ormandy previously found problems in products from Kaspersky, FireEye, ESET, Comodo, McAfee and Trend Micro.

Last year my team of researchers found vulnerabilities in AVG, McAfee and Kaspersky, and Juniper Networks found “unauthorized” code embedded in its own firewalls that included a super user password that could be used to take control of the machine. There are more instances going back through the years, but the problems seem to be ramping up lately. This comes at a time when companies continue to put blind faith in basic security products, like antivirus, in hopes of keeping malware out.

If people can’t trust the products that are supposed to keep their data safe, the industry is seriously failing everyone and causing more harm than good. Security providers need to hold themselves to a high standard or risk losing public faith in their products and the system.

Vendors need to be held accountable for lapses in their products and development that put customers at risk. It’s one problem to sell products that fail to recognize or adequately block threats; it’s another when the products provide attackers a direct pathway into a corporate network.

I agree with Ormandy that security software should take advantage of techniques like sandboxing to help control the activities of bad code. And they should all be following security development lifecycle best practices, such as those pioneered by Microsoft and Cigital. Vendors also need to be looking for design vulnerabilities in their products that can be used by attackers to exploit legitimate features or functions to compromise systems. Vendors should be prioritizing security in their products. There’s no excuse not to!

But I suspect it will take more shaming in the media when vulnerabilities are found, or even some lawsuits or legislation, before things get better. So what can organizations do in the meantime to protect themselves? They can minimize their exposure by adjusting their mindset and having realistic expectations. Specifically:

Don’t assume the security products are secure

Companies should apply security policies to all security tools. That means requiring vendors to provide automated patching, thoroughly vetting the infrastructure and pen-testing security products as organizations do for other software. It also means looking for and disabling unnecessary remote access services, such as SSH, FTP, NetCat and Telnet. And don’t ignore security alerts and logs.

Assume the network will be breached

Even when security products work as advertised, that doesn’t mean they catch all the threats. Organizations need to prepare for the likelihood — which is increasingly a reality — that the network will be compromised. It’s still possible to prevent damage to the organization even in the event of a compromise. Researchers have discovered that advanced threats leave a “fingerprint” in the operating system that shows up when outbound connections are established and files are modified.

Traditional antivirus products work by identifying specific signatures of malware, but when the signatures change, as they do all the time, the malware slips in. Instead, technology can be used that blocks data exfiltration or tampering in real time by correlating the outbound communications and file modification with the respective ancestry operating system instruction flow.

The industry has a responsibility to make sure that security products not only work as intended but don’t put organizations and data at risk. Vendors need to serve as role models for the entire tech industry by really building secure software and restoring the faith of customers. C’mon security vendors, clean up your act!