The number of modern security technologies—for enterprises, consumers, offices, homes, and more—seems to be mushrooming, but not all solutions truly make us more secure. In fact, flaws in many solutions put organizations, employees, partners, and customers at heightened risk due to the insecurity in the “security” that the solutions provide.
Vulnerabilities, poor design, backdoors, and even basic misconfigurations in some of these products can jeopardize your well-being far beyond any benefits that the “security” solutions might provide.
Here are several insecurities in security solutions to consider:
- Surveillance – One of the most infamous insecurities in security was dubbed the Mirai Botnet. This massive botnet was created by scanning for IP addressable security cameras on the Internet. Mirai assessed targets for an open telnet port and executed a simple dictionary attack against default, embedded credentials that manufacturers hardcoded into internet of things (IoT) devices (such as security cameras). Infected devices further propagated the infection, which was ultimately responsible for a distributed denial of service (DDOS) attack against a variety of Internet providers and organizations. The insecurity of deploying security cameras as IoT devices directly on the Internet—without securing their access ports or credentials—ultimately resulted in one of the largest, most devastating cyberattacks on the Internet to date.
- Infrastructure – Based in China, Huawei is one of the world’s largest technology companies. Recently, the United States government accused the technology giant of spying for the Chinese government, stealing intellectual property from T-Mobile, and skirting sanctions for the import of goods to Iran. In addition, Huawei’s CFO is currently on house arrest in Canada on charges of fraud. As a company, Huawei provides a broad array of technology—everything from microchips to network infrastructure and cellular 5G technology. If the cyberespionage and other accusations are true, then Huawei could infiltrate deep into a country to monitor electronic communications and potentially disrupt sensitive electronic operations. The United States government has banned Huawei from selling electronics to government agencies and is now engaged in a lawsuit with the company over the right to fairly compete in the marketplace.
- Personal Password Managers – In February 2019, Independent Security Evaluators published an independent review on personal password managers. According to their research, many personal password managers suffer from a wide variety of vulnerabilities and are susceptible to memory-scraping malware. While the vendors who were assessed dispute the published findings, the cyberthreat potential for these solutions to be exploited is real.
- Anti-Virus Solutions – In late 2017, popular Russian-owned antivirus vendor, Kaspersky Lab, was banned from the vast majority of sales within the United States government. The U.S. has accused Kaspersky of having too cozy of a relationship with the Russian Kremlin. The fear and security risk being that the Kaspersky solutions could be leveraged as a backdoor to spy on US government agencies (or even U.S. enterprises). Kaspersky has consistently refuted these allegations, but has incurred steep fallout to its reputation and finances. As of this time, Kaspersky solutions have been removed from all civilian government systems and are banned by Homeland Security.
While these are only a few security solutions that can expose insecurities, here are five security best practices to mitigate these risks:
- Diligently apply security updates – Vendors release security updates to patch high-risk default misconfigurations and to remediate vulnerabilities. It is prudent for all organizations to apply rigorous vulnerability management practices (vulnerability assessment and scanning, threat prioritization, remediation, etc.) to inventory their digital assets and apply security updates in a timely fashion to mitigate potential threats.
- Adhere to government security recommendations – Governments worldwide have assessed the risks that arise from various vendors due to potential security flaws with their products. The list is far longer than just the couple listed above in this blog, and include companies like ZTE and V-Tech too. It is in the best interest of any company that handles sensitive data to acknowledge governmental decisions to ban products and decide if it fits their business model as well.
- Changing default passwords – This is a security best practice for any solution, but it is commonly overlooked in businesses and in consumer solutions. While states like California have passed laws to make sure every new device sold starting next year has a unique password, millions of connected devices around the world still have common, default passwords, leaving a large attack surface intact. It is in the best interest of everyone to identify and change their default passwords.
- Enforcing unique passwords – While using default passwords is incredibly risky, using the same password across different accounts, devices, systems, or other resources device is nearly as bad. If one credential is compromised, then all other resources/accounts with the same credential can easily be compromised as well. Therefore, using a unique password on every device is a security imperative. Obviously, remembering all of an organization’s/individual’s passwords is not humanly impossible, and this is where automation (password rotation, etc.) capabilities become a critical component in any infrastructure, regardless of whether it’s via a personal password manager or an enterprise-class privileged password management solution.
- Access Control Lists – Due to Inherent cyber risks, some devices should never be allowed to communicate. Lateral movement and data exfiltration depend on poor access controls. All organizations and consumers should evaluate whether or not devices should be able to talk to each other and/or the Internet. You may need to implement IP and WiFi isolation, or other restrictions, and segmentation measures to prevent unnecessary threats.
Do not allow the insecurity of security solutions to put your or your business at risk. Basic cybersecurity hygiene can help mitigate these threats and ensure that your security choices move the needle in the right direction, and without introducing new attack pathways.
Morey J. Haber, Chief Technology Officer and Chief Information Security Officer at BeyondTrust
Morey J. Haber is Chief Technology Officer and Chief Information Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four Apress books: Privileged Attack Vectors (2 Editions), Asset Attack Vectors, and Identity Attack Vectors. In 2018, Bomgar acquired BeyondTrust and retained the BeyondTrust name. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. Morey currently oversees BeyondTrust strategy for privileged access management and remote access solutions. In 2004, he joined eEye as Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.