Juha Saarinen: When you can’t trust your cyber security vendors

Customers have had to take it on trust that cyber security vendors know what they’re doing and are able to keep themselves safe. Photo / 123RF

OPINION

The big problem with cyber security is that customers have to trust the providers of it.

To be effective, cyber security providers need access to all nooks and crannies of information processing systems, so that they can check if anything untoward is happening there.

That’s a very privileged position, and it’s a very risky one. Ever since the day of anti-viruses, security vendors placing themselves in that position have had bull’s eyes painted on their backs.

Breach a security vendor’s software, hardware or systems and it’s open sesame time for hackers.

Customers meanwhile have had to take it on trust that cyber security vendors know what they’re doing and are able to keep themselves safe.

That trust can be dangerous, as the recent breach of Okta, a large American identity and access management company that many enterprises use has shown.

Okta’s business is to authenticate users and provide them with secure access to corporate systems. That’s about as privileged a position as it gets in any organisation.

For the second time, Okta’s support system was breached by unknown hackers who were able to get their hands on system access tokens which were embedded in files customers sent in for troubleshooting.

Okta however did not detect it had been compromised. Instead, two of its customers spotted the hack after they were attacked.

Unfortunately for Okta, one customer was security vendor BeyondTrust which was founded by Marc Maiffret.

Maiffret is something of an infosec legend having discovered the infamous Code Red Windows worm malware with Ryan Permeh in 2001. What he says carries weight.

BeyondTrust reported the compromise to Okta which didn’t acknowledge the breach for over two weeks. The long and inexcusable delay was made public by BeyondTrust, and ended up in the news.

Reverse proxy and internet security company Cloudflare is also an Okta customer. It too spotted the compromise after foiling an Okta-connected hack attempt.

This is the second time Cloudflare’s been attacked via Okta. The first time was in March last year when a hacker got access to an Okta support staffer’s account and used it to attack Cloudflare and other internet companies.

Cloudflare was clearly annoyed at the second hack attack and gave Okta a sick burn in a blog post that provided recommendations for the identity and access management vendor on how it could secure itself.

How Okta will recover from the above embarrassing fiasco remains to be seen, but it’s not unique for companies in trusted positions to screw up magnificently.

Barracuda Networks’ Email Security Gateway device is a recent standout example of that. The devices, popular with many corporates, were compromised in large numbers and so thoroughly that Barracuda told customers to junk their existing gear and replace them with new ones.

Networking giant, Cisco had to scramble to release patches for the operating system that runs many of its routers and switches after hackers discovered a way to add administrative accounts remotely to them, which gave them full control of the devices. Some 42,000 devices were estimated to have been hacked.

The epic SolarWinds “Sunburst” hacks, allegedly perpetrated by Russia in 2019 also warrant a mention. SolarWinds software is used to manage and control systems and networks, so when hackers were able to plant backdoor access malware into the code, it became one of the most successful attacks ever.

American government departments were hit along with well-known security vendor FireEye, and the compromises took a long time to get detected and fixed. This month, SolarWinds had to release patches for three critical remote code execution bugs in its Access Manager software.

“Hackcidents” can and will happen and that should be everyone’s default assumption.

Vendors that are in a privileged position in information systems and networks have been high value hacker targets for a long time now. There are no guarantees that their software and hardware is bug-proof, or that all their processes are robust and without gaps that can be exploited.

Furthermore, as recent and past experience has shown, vendor responsiveness when things go wrong can be found wanting.

Having the ability to detect anomalies is a must for any organisation running IT systems and networks, along with plans for what to do when they’re. For customers, and not just of security vendors, the lesson here is not to outsource trust. Do that, and you’ll live to regret it sooner rather than later.