Hackers Finding Flaws In Security Software - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
News
News
6/20/2005
02:16 PM
50%
50%

Hackers Finding Flaws In Security Software

Hackers are switching targets, a research firm said Monday, as they look for new vulnerabilities. Rather than focus on operating systems, Windows in particular, they're going after the very security software that's supposed to protect PCs.

Hackers are switching targets, a research firm said Monday, as they look for new vulnerabilities. Rather than focus on operating systems, Windows in particular, they're going after the very security software that's supposed to protect PCs.

"Am I just crazy, or have there been a lot of security vulnerabilities for security companies announced?" Andrew Jaquith, a senior analyst at the Yankee Group said in describing what led him to analyze data from a public vulnerability database, ICAT.

From the beginning of 2004 to May 2005, 77 vulnerabilities affecting security products were posted to ICAT. That was a rate of increase greater than even Microsoft's Windows, which actually has showed improvement since the release last fall of Windows XP SP2.

"When considering the number of affected products rather than just the number of distinct vulnerabilities, the rate of increase was as fast as that of the industry as a whole," said Jaquith.

According to Jaquith, three factors played a part in the rise of security product problems. For one, vulnerability researchers -- who include both above-board "good guys" and underground hackers -- may have nearly depleted the supply of easily-exploited Windows vulnerabilities, and so are looking for virgin territory.

"An adolescent enthusiasm, and I think that's the right way to describe it, is what's driving a lot of this vulnerability research. They're always looking for the next thing and for recognition," said Jaquith.

Second, security products are an attractive target because nearly all enterprises have deployed them, especially anti-virus solutions. "There's low-hanging fruit in security products," said Jaquith, because the press hasn't forced security firms to acknowledge and fix problems in their code, as it has with operating system makers like Microsoft and Apple. "Flaws targeting security software stand a better chance of being successful," noted Jaquith.

That brings up what Jaquith calls the "tailgating effect," where hackers use the vulnerabilities in security software for their own purposes. "The real bad guys will put these vulnerabilities to work," said Jaquith to, for instance, slip malicious code past the defenses companies count on to protect their networks.

A third driver of the trend, he added, is the economic self-interest of security assessment vendors. Although the practice isn't illegal -- and rarely gets slammed by security firms whose products are tagged as vulnerable -- some assessment firms specialize in spotting flaws in security providers' products. The assessment firms -- eEye Digital is an example, said Jaquith -- then sell their own security analysis software, which include detection signatures for the other vendors' vulnerabilities.

One in four vulnerabilities in security products, in fact, was discovered this way during 2004 and the first half of 2005.

While Jaquith refused to label the practice as unscrupulous, he did say "In the airliner manufacturing industry, you don't see companies saying 'our airplane falls out of the air less often than our competitors.'"

Of the major security vendors whose products have been tagged with vulnerabilities, Symantec's were "disproportionally affected" according to Jaquith's examination of the ICAT database. Check Point and F-Secure also saw their numbers jump in 2004, while others, such as McAfee, showed a significant decrease.

Disclosed vulnerabilities don't always lead to a worm or other exploit, but Jaquith noted that some researchers insist on publicly releasing proof-of-concept code, which makes a hacker's job all that much easier.

"These are like unprocessed uranium," he said. "Malicious parties can transform them easily into munitions."

So far, only one security product vulnerability -- in products from Internet Security Systems (ISS) -- has resulted in a major worm outbreak. In early 2004, the Witty worm snuck through ISS firewalls, and reportedly infected tens of thousands of PCs worldwide.

"Not coincidentally, ISS tightened up its security processes and decreased its share of vulnerabilities last year relative to 2003," said Jaquith. "The Witty worm should have been a wake-up call to the security vendors. It wasn't.

"We should be sounding the alarm," Jaquith urged. "We should be telling the security vendors, 'We know there's not a big problem at the moment, but we want to make you're aware of it.'"

And working on it.

While all users should be pushing security vendors to put more emphasis on coding secure products -- so they use some of the same techniques that operating system makers now employ, such as regular security design reviews and reviews of the code base for security issues -- one of the best times to pressure them is when contracts come up for renewal.

Jaquith recommended that enterprises ask their preferred security vendors to detail how they develop in a secure fashion, and how they fix and patch problems.

Another way to mitigate possible exploits is to take a page out of operating system analysts' books. "One potential strategy is to diversify security vendors," he said.

"In the end, though, what we really need to do is push security vendors toward interoperability. They need to open up their APIs and their management consoles," he said, so that a heterogeneous security environment is actually practical.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Slideshows
10 Ways to Transition Traditional IT Talent to Cloud Talent
Lisa Morgan, Freelance Writer,  11/23/2020
News
Top 10 Data and Analytics Trends for 2021
Jessica Davis, Senior Editor, Enterprise Apps,  11/13/2020
Commentary
Can Low Code Measure Up to Tomorrow's Programming Demands?
Joao-Pierre S. Ruth, Senior Writer,  11/16/2020
Register for InformationWeek Newsletters
Video
Current Issue
Why Chatbots Are So Popular Right Now
In this IT Trend Report, you will learn more about why chatbots are gaining traction within businesses, particularly while a pandemic is impacting the world.
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll