I've read that the Bit9 compromise involved the company's own encryption keys, which led to trouble for customers...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
of Bit9's whitelisting services. Would you say this was likely a one-off incident, or should enterprises reconsider using application whitelisting technology? Is there any way to sniff out certificates that have been signed by malicious hackers?
Ask the Expert!
SearchSecurity.com expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)
Because they're in the technology business, IT vendors are held to a higher security standard than most other organizations are. Information security vendors are held to an even higher standard because a compromise could allow widespread or very targeted attacks against customers. That's why, when journalist Brian Krebs first broke the story about the attack against the vendor, the public relations backlash was particularly fierce.
The attacker in the Bit9 compromise was able to infiltrate the vendor's network and compromise a system with an old but still valid software signing certificate. The attack started with a SQL injection attack against an Internet-facing device, which allowed the attacker to access a virtual machine with the certificate. (Bit9 says a third party analyzed its network to determine the extent of the attack, but the vendor did not report how the attacker found and gained access to the system with the certificate.) The attacker signed 32 malicious files, including part of a backdoor, to make them look legitimate, then used those files while attacking an undisclosed number of Bit9 customers. Thus, the attacker exploited the trust Bit9's customers had in the vendor.
Bit9 is not the first security vendor to be compromised, nor will it be the last. Its openness about the attack should help restore customer trust. Ironically, if Bit9 hadn't made the operational mistake of not installing its own software, the company would have been protected from the attack. Enterprises might want to consider the far-reaching implications if their vendor is compromised, then determine the appropriate course of action. In this case, they should try to determine whether Bit9's security model is sufficient for their environment, and if there are ways they could limit their risk if Bit9 (or any other security vendor) is compromised.
Dig Deeper on Application Attacks -Information Security Threats
Related Q&A from Nick Lewis
Locky ransomware has, again, changed tactics by moving to using LNK files for distribution. Expert Nick Lewis explains how enterprises can adjust ...continue reading
Hajime malware was discovered to have links to the Mirai botnet that launched powerful DDoS attacks last year. Expert Nick Lewis explains how Hajime ...continue reading
Drammer, or a deterministic Rowhammer attack, was found to be more effective on ARM-based mobile devices. Expert Nick Lewis explains the issue with ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.