Originally posted: http://www.securityfocus.com/templates/forum_message.html?forum=2&head=264&id=264 The Last Line of Defense, Broken The Public Perception of Security Companies Getting Compromised Every so often, the protectors of your most important digital resources get hit with a little mud in the face. The so-called last line of defense is broken, and the security company protecting your networks falls victim to the ones they work against. It happens, possibly more often than you realize, and it will continue to happen. The question to ask is what can be gleaned from a network security company getting hacked. Does it adversely affect business and undermine the trust and confidence customers place in them? Or is it fair warning that anyone is vulnerable to attack and a grim reality we must face in today's networked world? Perhaps it is a little of both. Security companies are there to offer security to companies lacking the ability to protect themselves. Further, they are the publicly- perceived experts in all things security related. Their software, consulting services, and superior knowledge of computers are but a small part of the aresenal they use to keep malicious intruders out of your networks. At what point do these resources break down and allow someone to compromise even a security firm's security? The Race Condition Those familiar with the technical side of UNIX security may recall many older exploits that relied on winning a Race Condition to achieve increased access. The concept of these attacks are that the program must beat the system in performing a specific function or task. If the exploit successfully beats the system to this target function, it is able to gain elevated priveledges giving the intruder more control over the system. If it fails the race, nothing extraordinary occurs. Much like the Race Condition attack, security companies and intruders are in a continued Race Condition every day. Each day the security companies stay secure, they are winning the race. Every day a security company is hacked, they have lost another leg of the race. Both hackers and security professionals are looking for new bugs in software and operating systems. Sometimes this entails elaborate testing against poorly documented software while other times it is detailed scrutiny of tens of thousands of lines of source code. The entire time this race is going on, security companies are also creating products that will hopefully protect them against entire classes of attacks. This effort is designed to attempt to protect them from the unknown, namely the undisclosed vulnerability that hackers have discovered before they do. These forms of protections are currently found in the form of firewalls, intrusion detection systems (IDS), and other specialized security software. Perception is Everything Back to the original question of perception of these incidents. There are two ways to perceive a security company failing in their own specialty: 1. The compromise of their network adversely affects business. The incident further undermines the trust and confidence their customers place in their ability to secure a network. 2. The compromise is fair warning that anyone is vulnerable and that there are simply too many undiscovered bugs out there. No one can reasonably expect security companies to find them all. Life has taught us that things are not that simple. Our perception (should be) based on more than the event of the hack. Rather our perception should be based on the hack and more importantly, the company's reaction to the incident. There are two basic ways a security company can react to an intrusion of their own network (assuming it is publicly known): 1. Admit there was a lapse in their own security and a network intrusion occured. Water under the bridge and a pledge to do better. 2. The government way: cover it up. Disavow! Never happened! If no customers know (or more to the point believe) an intrusion occured, then there is no loss of integrity and disaster has been averted. As logical and honorable as it sounds, not all security companies will admit to incidents that hurt their reputation. The downside to this course of action is when the public does find out. Like all things political, it escalates the incident into an embarassing failed coverup worthy of tabloids. Because many people believe admitting such things is automatic grounds for laughter and snide remarks, they take the low road and cover up. Rather than lie or attempt to obscure prior incidents, these companies must learn that it is a fact of life and they need to move on. Use these times of turmoil as motivation to achieve better security for them and their clients. Turn the negative into a positive. Track Record Some readers may be trying to think of what security companies have been victims of this and have had to deal with this. In the past year, each of these security sites have been publicly defaced: Network Security www.networksecurity.org Secure Service www.secure-service.org Securities Software www.securitiessoftware.com Secure Transfer www.secure-transfer.com AntiOnline www.antionline.com Security Net www.securitynet.net Network Flight Recorder www.nfr.net Symantec www.symantec.com Companies such as NFR who design Intrusion Detection Systems are particularly vulnerable to reputation damage over such incidents. Sites such as AntiOnline that continually boast about their own security often find such defacements more embarassing as well. Worse Than Being Attacked Yes, security companies face one thing worse than being hacked and having their web page defaced. The rumor of getting hacked. Once rumors get started, people demand answers and often won't settle on an answer until it is the one they wish to hear. Conspiracy-driven minds will not believe the truth no matter how many times it is told. This suspicion is often fueled by prior incidents in which companies have attempted to cover up intrusions. If SecurityCo Inc. has been talked about and rumors are floating around they were defaced, they are in a horrible position. Even if they respond truthfully and tell their customers they remain secure and have not experienced any network intrusions, some people will believe it to be a coverup. Despite there being no proof a company was hacked, no mirror of a web defacement and nothing more than "I heard", people often cling to the idea of it. FIN The act of a security company getting hacked and possibly defaced can be damaging, it's true. However, lying or trying to obscure such incidents can be much more damaging. If a company that created your best lines of defense gets hacked, understand that the security game is not an absolute. Everyone is vulnerable at one point or another. What should we think about our protectors falling victim? The choice is up to you but remember: no one is perfect.