Q

Does the Bit9 compromise call application whitelisting into question?

Expert Nick Lewis explains how Bit9 was recently compromised and the viability of application whitelisting as a result of the compromise.

I've read that the Bit9 compromise involved the company's own encryption keys, which led to trouble for customers of Bit9's whitelisting services. Would you say this was likely a one-off incident, or should enterprises reconsider using application whitelisting technology? Is there any way to sniff out certificates that have been signed by malicious hackers?

Ask the Expert!

SearchSecurity.com expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)

Because they're in the technology business, IT vendors are held to a higher security standard than most other organizations are. Information security vendors are held to an even higher standard because a compromise could allow widespread or very targeted attacks against customers. That's why, when journalist Brian Krebs first broke the story about the attack against the vendor, the public relations backlash was particularly fierce.

The attacker in the Bit9 compromise was able to infiltrate the vendor's network and compromise a system with an old but still valid software signing certificate. The attack started with a SQL injection attack against an Internet-facing device, which allowed the attacker to access a virtual machine with the certificate. (Bit9 says a third party analyzed its network to determine the extent of the attack, but the vendor did not report how the attacker found and gained access to the system with the certificate.) The attacker signed 32 malicious files, including part of a backdoor, to make them look legitimate, then used those files while attacking an undisclosed number of Bit9 customers. Thus, the attacker exploited the trust Bit9's customers had in the vendor.

Bit9 is not the first security vendor to be compromised, nor will it be the last. Its openness about the attack should help restore customer trust. Ironically, if Bit9 hadn't made the operational mistake of not installing its own software, the company would have been protected from the attack. Enterprises might want to consider the far-reaching implications if their vendor is compromised, then determine the appropriate course of action. In this case, they should try to determine whether Bit9's security model is sufficient for their environment, and if there are ways they could limit their risk if Bit9 (or any other security vendor) is compromised.

This was first published in July 2013

Dig deeper on Application Attacks -Information Security Threats

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close