News out of Cupertino this week regarding a network breach and the resulting stolen source code representing four major security products is enough to make any CISO go prematurely gray. We understand the fire drills involved when you have a security technology compromised. In the case of Big Yellow, here is my advice to CISOs everywhere:
Focus now on remote access and anti-virus, and layer up
Layering security technologies introduces a complex defense against a complex offense, with the former being a lot harder for an attacker to neutralize. To some, defense-in-depth means more firewall layers as opposed to a single layer at the perimeter. To me, it’s about protecting the entire IT environment – from mobile to cloud, to databases and servers – and not just the now-shaky walls that surround it; assuming you can even decide what is inside your network and what is outside.
If you think of medieval Europe, castles had moats as well as locks on their gates and high walls because even they knew one single element of defense could be overcome. If you rely exclusively on Norton anti-virus technology, plan for a deployment of at least an additional technology at some layer in your network – at least use a different vendors program to scan your web and email traffic.
My biggest concern is the loss of the pcAnywhere source code. The goal of pcAnywhere is to allow a person to access and control another machine over the network/Internet. If an attacker can determine a method by which they can take unauthorized and unauthenticated control of these machines they bypass all defensive layers, it is as though they walked into your building and sat down at your computer and simply started working.
Email traffic and web traffic are the two most common transports for viruses/malware entering a network, so those would be the areas where I would consider installing an alternative anti-virus technology. (Also, there should be fewer of them than there are users’ machines, so it should be a quicker and less-intrusive roll out). The other two areas to focus on are desktops and servers.
The more disparate anti-virus technology you have, the more likely the chance that new or evolving malware can be detected. Of course adding these layers adds more management but if any single product is no longer able to detect attacks, an easy to use management interface isn't going to provide any value.
Stay on top of the situation
Without good information we cannot make good decisions. I would recommend customers of Symantec call their rep and ask for all the details about what has been lost, and what information Symantec knows about what the attackers are doing with this code. Repeat this step regularly when this source code loss was first disclosed the story was off code on a customers server being stolen, this week it is Semantics own network being breached.
Take a step back, and know your exposure
It is important to have a clear picture of your organization’s exposure to this risk, and develop a plan to mitigate that risk. I know it’s hard to keep up with the rapid pace of change. We advise a full assessment from the inside out and vice versa – including employee risks to information. Start with a penetration test to focus on the biggest threats first – your web applications and your end user awareness. With this knowledge in hand, you can prioritize where to focus and how to make the most significant changes, first.
- Alex Horan, CORE IMPACT Product Manager