Any software IT installs can potentially contain vulnerabilities that give hackers a way to get on the company’s network – and that includes IT security software, one expert warns.
While it may seem ironic, IT security products can have the same types of vulnerabilities as any other software, warned Ben Williams of software verification firm NCC Group in a presentation at the recent Black Hat Europe 2013 security conference in Amsterdam.
And because of the level of trust organizations place in those applications — and the amount of damage that can be done i they’re compromised — those vulnerabilities can be especially dangerous.
Williams performed a study of IT security products, including email and web gateways, firewalls, remote access systems, unified threat management (UTM) systems, from several of the biggest security vendors.
The result: The majority (more than 80%) have serious vulnerabilities that could lead to security attacks.
In many cases, the blame lies with the web-based user interfaces that IT employees use to configure and maintain the security systems.
Often, those interfaces are vulrnerable to brute-force password cracking, cross-site scripting attacks, cross-site request forgery, and other types of attack, according to Williams. Many of the hypothetical attacks could allow hackers to steal administrative credentials and use them to change the settings of security applications.
Protect against IT security software vulnerabilities
Many organizations assume that those products are secure, which Williams says is a big mistake. While he said he has notified vendors about the flaws so they’ll hopefully be fixed, he recommends organizations:
- Keep administrative interfaces for security products off of machines that connect to the Internet, and restrict access to those interfaces to the organization’s internal network
- Require administrators to access the user interface with a different browser than the one they use to access the Internet
- Make sure that security products go through the same IT security evaluation, testing and auditing as any other application the company installs, and
- Closely monitor the behavior of IT security software to make sure configurations stay the same and check to see who is accessing the user interface.