Do as I say, not as I do. RSA, Bit9, Adobe, and others…

So you thought you had everything nailed down. You might have even gone past the “best practice” (which would have driven you to compliance, and your security to the gutter), and focused on protecting your assets by applying the right controls in a risk-focused way.

You had your processes, technologies, and logs all figured out.

But you still got owned. Want to know why? Because you are still a little naïve.

You put your trust in big name vendors that preached for you to get your stuff together. You listened to them, were convinced by their pitch, and you might have even put their products through rigorous testing to make sure they deliver. But you forgot one thing. Big ticket vendors are no much different from a zealot church.

They will preach, and guide you through to the righteous passage. But when you look behind the curtain, well, you know what I mean…

The latest Bit9 compromise isn’t that surprising. Bit9’s customers are obviously very security aware as they opted to use a whitelisting product to protect their computing assets. As such, these customers are most probably high value targets to adversaries. It also means that with such an awareness to security, these customers probably have more measures and practices to mitigate and protect themselves from attackers. That means, that if I were to scope such a target for an attack, I would have focused on supply chain elements that were weaker than the target itself (much like the way we teach at out Red-Team Testing classes…).

RSA was such a target. Adobe is a similar one. Bit9 just was for some of its customers.

Color me surprised.

And yes – if you are a vendor that gloats over the latest compromise – please don’t. If you haven’t gone through a similar threat model your products are either not good enough (hence your customers aren’t high value targets. How does that make you feel now?), or your own security isn’t up to speed and you haven’t realized you have been breached yet. Now go clean your own mess.

If you are a security consumer (hence – care a bit more for your information than just getting compliant and tabling it), make sure not to make any assumptions about your providers. Especially about your providers. They aren’t the target. You are. As such, they are the vehicle, and they have a more generalized security practice than yours. Account for it in your security strategy, and never fully trust anything outside of your control span. It is your responsibility to hold them to at least their own standard, and demand oversight and proof that they do so.

Leave a Reply