I've read that the Bit9 compromise involved the company's own encryption keys, which led to trouble for customers...
of Bit9's whitelisting services. Would you say this was likely a one-off incident, or should enterprises reconsider using application whitelisting technology? Is there any way to sniff out certificates that have been signed by malicious hackers?
Ask the Expert!
SearchSecurity.com expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)
Because they're in the technology business, IT vendors are held to a higher security standard than most other organizations are. Information security vendors are held to an even higher standard because a compromise could allow widespread or very targeted attacks against customers. That's why, when journalist Brian Krebs first broke the story about the attack against the vendor, the public relations backlash was particularly fierce.
The attacker in the Bit9 compromise was able to infiltrate the vendor's network and compromise a system with an old but still valid software signing certificate. The attack started with a SQL injection attack against an Internet-facing device, which allowed the attacker to access a virtual machine with the certificate. (Bit9 says a third party analyzed its network to determine the extent of the attack, but the vendor did not report how the attacker found and gained access to the system with the certificate.) The attacker signed 32 malicious files, including part of a backdoor, to make them look legitimate, then used those files while attacking an undisclosed number of Bit9 customers. Thus, the attacker exploited the trust Bit9's customers had in the vendor.
Bit9 is not the first security vendor to be compromised, nor will it be the last. Its openness about the attack should help restore customer trust. Ironically, if Bit9 hadn't made the operational mistake of not installing its own software, the company would have been protected from the attack. Enterprises might want to consider the far-reaching implications if their vendor is compromised, then determine the appropriate course of action. In this case, they should try to determine whether Bit9's security model is sufficient for their environment, and if there are ways they could limit their risk if Bit9 (or any other security vendor) is compromised.
Dig Deeper on Application Attacks -Information Security Threats
Related Q&A from Nick Lewis
The new Trochilus RAT can avoid detection in cyberespionage attacks. Expert Nick Lewis explains how it works, and if enterprises need to adapt their ...continue reading
The Asacub Trojan has new banking malware features. Expert Nick Lewis explains how it made this transition and what enterprises should be watching ...continue reading
BlackEnergy malware may have been part of the attacks on Ukrainian utility and media companies. Expert Nick Lewis explains how this malware works and...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.