Originally posted: http://www.securityfocus.com/templates/forum_message.html?forum=2&head=264&id=264

The Last Line of Defense, Broken
The Public Perception of Security Companies Getting Compromised

Every so often, the protectors of your most important digital
resources get hit with a little mud in the face. The so-called
last line of defense is broken, and the security company protecting
your networks falls victim to the ones they work against. It
happens, possibly more often than you realize, and it will continue
to happen. 

The question to ask is what can be gleaned from a network
security company getting hacked. Does it adversely
affect business and undermine the trust and confidence customers
place in them? Or is it fair warning that anyone is vulnerable
to attack and a grim reality we must face in today's networked
world? 

Perhaps it is a little of both.

Security companies are there to offer security to companies lacking
the ability to protect themselves. Further, they are the publicly-
perceived experts in all things security related. Their software,
consulting services, and superior knowledge of computers are but
a small part of the aresenal they use to keep malicious intruders
out of your networks. At what point do these resources break down
and allow someone to compromise even a security firm's security?


The Race Condition

Those familiar with the technical side of UNIX security may recall
many older exploits that relied on winning a Race Condition
to achieve increased access. The concept of these attacks are that
the program must beat the system in performing a specific function
or task. If the exploit successfully beats the system to this target
function, it is able to gain elevated priveledges giving the intruder
more control over the system. If it fails the race, nothing extraordinary
occurs.

Much like the Race Condition attack, security companies and intruders
are in a continued Race Condition every day. Each day the security
companies stay secure, they are winning the race. Every day a security
company is hacked, they have lost another leg of the race.
Both hackers and security professionals are looking for new
bugs in software and operating systems. Sometimes this entails elaborate
testing against poorly documented software while other times it is
detailed scrutiny of tens of thousands of lines of source code.

The entire time this race is going on, security companies are also
creating products that will hopefully protect them against entire
classes of attacks. This effort is designed to attempt to protect them
from the unknown, namely the undisclosed vulnerability that hackers have discovered
before they do. These forms of protections are currently found in
the form of firewalls, intrusion detection systems (IDS), and other
specialized security software.


Perception is Everything

Back to the original question of perception of these incidents. There
are two ways to perceive a security company failing in their own
specialty:

        1. The compromise of their network adversely affects business.
           The incident further undermines the trust and confidence
           their customers place in their ability to secure a network.

        2. The compromise is fair warning that anyone is vulnerable
           and that there are simply too many undiscovered bugs out
           there. No one can reasonably expect security companies to
           find them all.

Life has taught us that things are not that simple. Our perception
(should be) based on more than the event of the hack. Rather our
perception should be based on the hack and more importantly, the
company's reaction to the incident. There are two basic ways a security
company can react to an intrusion of their own network (assuming
it is publicly known):

        1. Admit there was a lapse in their own security and a network
           intrusion occured. Water under the bridge and a pledge to
           do better.

        2. The government way: cover it up. Disavow! Never happened!
           If no customers know (or more to the point believe) an intrusion
           occured, then there is no loss of integrity and disaster
           has been averted.

As logical and honorable as it sounds, not all security companies will
admit to incidents that hurt their reputation. The downside to this
course of action is when the public does find out. Like all things
political, it escalates the incident into an embarassing failed coverup
worthy of tabloids.

Because many people believe admitting such things is automatic grounds
for laughter and snide remarks, they take the low road and cover up.

Rather than lie or attempt to obscure prior incidents, these companies
must learn that it is a fact of life and they need to move on. Use
these times of turmoil as motivation to achieve better security for
them and their clients. Turn the negative into a positive.


Track Record

Some readers may be trying to think of what security companies have been
victims of this and have had to deal with this. In the past year, each
of these security sites have been publicly defaced:

Network Security                www.networksecurity.org
Secure Service                  www.secure-service.org
Securities Software             www.securitiessoftware.com
Secure Transfer                 www.secure-transfer.com
AntiOnline                      www.antionline.com
Security Net                    www.securitynet.net
Network Flight Recorder         www.nfr.net
Symantec                        www.symantec.com

Companies such as NFR who design Intrusion Detection Systems are
particularly vulnerable to reputation damage over such incidents.
Sites such as AntiOnline that continually boast about their own security
often find such defacements more embarassing as well.


Worse Than Being Attacked

Yes, security companies face one thing worse than being hacked and having
their web page defaced. The rumor of getting hacked. Once rumors
get started, people demand answers and often won't settle on an answer
until it is the one they wish to hear. Conspiracy-driven minds will not 
believe the truth no matter how many times it is told. This suspicion is 
often fueled by prior incidents in which companies have attempted to cover up
intrusions.

If SecurityCo Inc. has been talked about and rumors are floating around
they were defaced, they are in a horrible position. Even if they respond
truthfully and tell their customers they remain secure and have not
experienced any network intrusions, some people will believe it to be
a coverup. Despite there being no proof a company was hacked, no mirror
of a web defacement and nothing more than "I heard", people often cling
to the idea of it. 

FIN

The act of a security company getting hacked and possibly defaced can
be damaging, it's true. However, lying or trying to obscure such
incidents can be much more damaging. If a company that created your best
lines of defense gets hacked, understand that the security game is not
an absolute. Everyone is vulnerable at one point or another. What should
we think about our protectors falling victim? The choice is up to you
but remember: no one is perfect.