Last month another security incident hit the headlines, but this time it was even more interesting because it was related to Bit9, a company that provides software and network security services to the U.S. government and at least 30 Fortune 100 firms.
In short, Bit9’s corporate network was breached by a cyberattack. Bit9 published in their Blog that “Due to lack of an operational oversight within Bit9, we failed to install our own product on a handful of computers within our network. As a result, a malicious third party was able to illegally gain temporary access to one of our digital code-signing certificates that they then used to illegitimately sign malware.”
Bit9 discovered about this breach when some of their customers discovered malware inside of their own Bit9-protected networks, malware that was digitally signed by Bit9′s own encryption keys. For details refer to the detailed article on KrebsonSecurity. This short summary sounds very simple but details make this quite interesting news.
Let’s try to simplify this with a very simple analogy. Imagine a scenario where you have physical security guards (Bit9) all around your campus that provides protection to your corporate office. These security guards check every individual entering your corporate office. However, they have an instruction to TRUST and ALLOW anyone wearing a GREEN access pass (allocated to VVIP individuals to give them unrestricted access). Now the technology (code-signing certificate) to create these GREEN access passes is restricted and highly confidential. In this case, attackers managed to get their hands on to technology to produce GREEN access pass (code-signing certificates i.e. whitelisting) giving them unrestricted access to corporate office as security guards will TRUST them and ALLOW them access without any questions.
Bit9’s incident allowed attackers to gain access to Bit9’s digital code-signing certificate which is used by Bit9 to sign programs to whitelist them. Once in possession of these certificates, attackers used them to sign malicious code which was ignored (trusted) by Bit9 protection software running on client machines allowing attackers to infect these machines.
Reminder of importance of basics
This incident highlights importance of security basics and proves the old saying that “You are only as strong as your weakest link”. Every organisation invests money in baseline security controls to ensure that assets are secure against threats and vulnerabilities. That is why every new assets (laptop, desktop, mobile device or server) being introduced in company’s computing environment must have baseline security controls installed and operating effectively. Once these controls are installed, you need to be sure that these are operating effectively.
A simple analogy is that every car coming out of manufacturing assembly line is tested to make sure that basic security controls are installed correctly and operating correctly, e.g. seatbelts, airbags, ABS, traction control system etc. But once car is running on the road, it needs to go through annual MOT checks to make sure basic controls are operating effectively and vehicle is road worthy. Various luxury car manufacturers like BMW, Mercedes and Jaguar, have put multiple sensors in their cars for important controls that notifies the driver of failure of these controls on their dashboard to warn them and get them fixed.
In this case, Bit9 failed on multiple occasions, reminding importance of getting the basics right
- Their IT Asset Management (ITAM) and build process failed as new assets were introduced within their environment without an important endpoint control, their own product, meant to protect endpoints against such attacks
- Operational Oversight process didn’t flag these assets as non-compliant due to absence of such an important endpoint control. If they had an effective oversight process in place, it would have flagged these assets as risk
- Bit9 confirmed that the breach appears to have started last summer with the compromise of an Internet-facing Web server, via an SQL injection attack. SQL injection vulnerability has been around for a while and their operational oversight process should have caught existence of such a trivial vulnerability in their environment
These issues can exist in any organisation just like Bit9. Hence, it is important to get basics right and make sure baseline controls are installed on all assets and an effective operational oversight process exist to measure Completeness & Effectiveness of such baseline controls and manage technology risks.