The number of modern security technologies—for enterprises, consumers, offices, homes, and more—seems to be mushrooming, but not all solutions truly make us more secure. In fact, flaws in many solutions put organizations, employees, partners, and customers at heightened risk due to the insecurity in the “security” that the solutions provide.
Vulnerabilities, poor design, backdoors, and even basic misconfigurations in some of these products can jeopardize your well-being far beyond any benefits that the “security” solutions might provide.
Here are several insecurities in security solutions to consider:
- Surveillance – One of the most infamous insecurities in security was dubbed the Mirai Botnet. This massive botnet was created by scanning for IP addressable security cameras on the Internet. Mirai assessed targets for an open telnet port and executed a simple dictionary attack against default, embedded credentials that manufacturers hardcoded into internet of things (IoT) devices (such as security cameras). Infected devices further propagated the infection, which was ultimately responsible for a distributed denial of service (DDOS) attack against a variety of Internet providers and organizations. The insecurity of deploying security cameras as IoT devices directly on the Internet—without securing their access ports or credentials—ultimately resulted in one of the largest, most devastating cyberattacks on the Internet to date.
- Infrastructure – Based in China, Huawei is one of the world’s largest technology companies. Recently, the United States government accused the technology giant of spying for the Chinese government, stealing intellectual property from T-Mobile, and skirting sanctions for the import of goods to Iran. In addition, Huawei’s CFO is currently on house arrest in Canada on charges of fraud. As a company, Huawei provides a broad array of technology—everything from microchips to network infrastructure and cellular 5G technology. If the cyberespionage and other accusations are true, then Huawei could infiltrate deep into a country to monitor electronic communications and potentially disrupt sensitive electronic operations. The United States government has banned Huawei from selling electronics to government agencies and is now engaged in a lawsuit with the company over the right to fairly compete in the marketplace.
- Personal Password Managers – In February 2019, Independent Security Evaluators published an independent review on personal password managers. According to their research, many personal password managers suffer from a wide variety of vulnerabilities and are susceptible to memory-scraping malware. While the vendors who were assessed dispute the published findings, the cyberthreat potential for these solutions to be exploited is real.
- Anti-Virus Solutions – In late 2017, popular Russian-owned antivirus vendor, Kaspersky Lab, was banned from the vast majority of sales within the United States government. The U.S. has accused Kaspersky of having too cozy of a relationship with the Russian Kremlin. The fear and security risk being that the Kaspersky solutions could be leveraged as a backdoor to spy on US government agencies (or even U.S. enterprises). Kaspersky has consistently refuted these allegations, but has incurred steep fallout to its reputation and finances. As of this time, Kaspersky solutions have been removed from all civilian government systems and are banned by Homeland Security.
While these are only a few security solutions that can expose insecurities, here are five security best practices to mitigate these risks:
- Diligently apply security updates – Vendors release security updates to patch high-risk default misconfigurations and to remediate vulnerabilities. It is prudent for all organizations to apply rigorous vulnerability management practices (vulnerability assessment and scanning, threat prioritization, remediation, etc.) to inventory their digital assets and apply security updates in a timely fashion to mitigate potential threats.
- Adhere to government security recommendations – Governments worldwide have assessed the risks that arise from various vendors due to potential security flaws with their products. The list is far longer than just the couple listed above in this blog, and include companies like ZTE and V-Tech too. It is in the best interest of any company that handles sensitive data to acknowledge governmental decisions to ban products and decide if it fits their business model as well.
- Changing default passwords – This is a security best practice for any solution, but it is commonly overlooked in businesses and in consumer solutions. While states like California have passed laws to make sure every new device sold starting next year has a unique password, millions of connected devices around the world still have common, default passwords, leaving a large attack surface intact. It is in the best interest of everyone to identify and change their default passwords.
- Enforcing unique passwords – While using default passwords is incredibly risky, using the same password across different accounts, devices, systems, or other resources device is nearly as bad. If one credential is compromised, then all other resources/accounts with the same credential can easily be compromised as well. Therefore, using a unique password on every device is a security imperative. Obviously, remembering all of an organization’s/individual’s passwords is not humanly impossible, and this is where automation (password rotation, etc.) capabilities become a critical component in any infrastructure, regardless of whether it’s via a personal password manager or an enterprise-class privileged password management solution.
- Access Control Lists – Due to Inherent cyber risks, some devices should never be allowed to communicate. Lateral movement and data exfiltration depend on poor access controls. All organizations and consumers should evaluate whether or not devices should be able to talk to each other and/or the Internet. You may need to implement IP and WiFi isolation, or other restrictions, and segmentation measures to prevent unnecessary threats.
Do not allow the insecurity of security solutions to put your or your business at risk. Basic cybersecurity hygiene can help mitigate these threats and ensure that your security choices move the needle in the right direction, and without introducing new attack pathways.
Morey J. Haber, Chief Security Officer at BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.