I've read that the Bit9 compromise involved the company's own encryption keys, which led to trouble for customers...
of Bit9's whitelisting services. Would you say this was likely a one-off incident, or should enterprises reconsider using application whitelisting technology? Is there any way to sniff out certificates that have been signed by malicious hackers?
Ask the Expert!
SearchSecurity.com expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)
Because they're in the technology business, IT vendors are held to a higher security standard than most other organizations are. Information security vendors are held to an even higher standard because a compromise could allow widespread or very targeted attacks against customers. That's why, when journalist Brian Krebs first broke the story about the attack against the vendor, the public relations backlash was particularly fierce.
The attacker in the Bit9 compromise was able to infiltrate the vendor's network and compromise a system with an old but still valid software signing certificate. The attack started with a SQL injection attack against an Internet-facing device, which allowed the attacker to access a virtual machine with the certificate. (Bit9 says a third party analyzed its network to determine the extent of the attack, but the vendor did not report how the attacker found and gained access to the system with the certificate.) The attacker signed 32 malicious files, including part of a backdoor, to make them look legitimate, then used those files while attacking an undisclosed number of Bit9 customers. Thus, the attacker exploited the trust Bit9's customers had in the vendor.
Bit9 is not the first security vendor to be compromised, nor will it be the last. Its openness about the attack should help restore customer trust. Ironically, if Bit9 hadn't made the operational mistake of not installing its own software, the company would have been protected from the attack. Enterprises might want to consider the far-reaching implications if their vendor is compromised, then determine the appropriate course of action. In this case, they should try to determine whether Bit9's security model is sufficient for their environment, and if there are ways they could limit their risk if Bit9 (or any other security vendor) is compromised.
Related Q&A from Nick Lewis
As the Angler exploit kit evolves and adopts new functionality, it's becoming harder to detect and defend against. Enterprise threats expert Nick ...continue reading
A proof-of-concept attack on Apple's Siri allowed researchers to steal data from iOS. Learn more about the iStegSiri attack and how to defend against...continue reading
A new global email scam has cost enterprises millions. Expert Nick Lewis explains how to defend against man-in-the-email attacks with proper training...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.