Stop Blaming Security Vendors for Your Breaches

Comment | Print | RSS

• Login to Rate

The most recent example of this is a Forbes article titled "Symantec Gets a Black Eye In Chinese Hack of The New York Times." In it, the author said the following about Symantec, the antivirus software vendor that the NY Times was using at the time of the breach:

Having your email hacked and malicious software spread on your servers for months may be embarrassing. But being outed as the antivirus vendor that failed to catch the vast majority of that malware is likely more humiliating still.

In my opinion, this isn't a fair statement. When looking at the events that ultimately led to the successful hack, there isn't a security vendor in the world that would have been successful in preventing the breach. Here's why:

The method that the Chinese hackers used to get their foot in the door initially wasn't some overly complex exploit that targeted the NY Times servers. Instead, it all started as a very common spear-phishing technique directed toward employees that unknowingly downloaded custom-created malware onto their system that sat on The New York Times network. Since the malware did not use commonly-known malware signatures, it's likely that no AV software around would have flagged the code as malicious. Even more important is the fact that this whole thing started out with simple social engineering. Again, it points out that the weakest link of any IT infrastructure is the employee.

Secondly, the revelation that complex passwords were not being used was glossed over. The NY Times postmortem states: "Hashed passwords can easily be cracked using so-called rainbow tables -- readily available databases of hash values for nearly every alphanumeric character combination, up to a certain length." The "can be easily cracked" statement is only true if the password policies are not set strictly enough. If policies are set and enforced where users are required to create a complex, random string of 12+ characters, cracking hashed passwords becomes nearly impossible.

Lastly, Symantec had reportedly responded to the Forbes article by stating in the comments section:

Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats. We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security. Anti-virus software alone is not enough.

In other words, while the Times had deployed Symantec's AV software, that's only one piece of the puzzle. To truly fend off sophisticated attacks, companies must deploy a robust and layered defense in-depth strategy. Only with overlapping security measures can you ever hope to protect your network.

This incident should serve as a lesson to all of us involved in IT security. We can't simply rely on one or two tools to protect us from today's ever-increasing threats. Multiple tactics need to be deployed. Additionally, it is almost impossible to protect data when employees freely open doors for hackers. Employee education regarding social engineering techniques needs to be taken more seriously and training should be performed on an annual basis to keep everyone up to date on the latest techniques used.