By Mark McCullough – Technical Consultant
Former Mozilla developer, Robert O’Callahan recently joined the growing chorus of those openly stating that anti-virus products cause more security harm than they prevent. He’s right, but that’s not the only security product that should have the harsh glare of security shined on it. It’s time for information security to eat its own dog food. Security tools often end up harming your overall security for at least one of three reasons: they create significant attack surface; they inherently violate the very security standards they are supposed to help protect, or they force a lowering of the security of other tools.
In the first case, significant new attack surface, we need to look no further than CVE-2016–2207 through CVE-2016–2211, where an anti-virus product had remote arbitrary code execution flaws. It isn’t just one vendor’s products that are flawed. Direct login by administrative accounts being required to be enabled is another common example seen, often in the name of agentless security, as if direct login to a full shell with administrative access and no logging of what is done or who is actually using those credentials is somehow a good idea.
One product vendor had the gall to openly state to multiple customers “We’re a security appliance, so we don’t have to follow your security rules.” The attackers aren’t going to ignore a product just because it’s used by the security team, in fact, they may target it specially because of the access such products have. Security tools often have excessive access to resources. Vulnerability scanners often want direct login to an account with full administrative privileges, even though that’s explicitly prohibited by the very security standards that the teams insisting on this access are supposed to enforce. Privileged Session Managers often are coded in such a way to give the security administrators the ability to perfectly impersonate any user with no logging that they did this, or extract the most sensitive credentials of any user. Any non-security product doing that would be instantly labeled malicious.
The complaint of Mr. O’Callahan that anti-virus software disabled built in OS security protections may seem shocking to some but is hardly news to many who have followed the antics of such vendors. DLP vendors have in the past attempted to block users from using standard browser tools to protect your security, such as incognito mode or even the developer console for examining suspicious websites or just developing internal web-based applications, or insisted on “exceptions” to prevent their own binaries even from being scanned.
So what to do about it? Recognize that calling a product a security product doesn’t make it any less risky. These products often have some of the most sensitive access across your network and thus need extra scrutiny and skepticism, not less. If the vendor isn’t following the rules of security, don’t be afraid to call them out. It’s your data. You need to stand up for it. The label of security product doesn’t make the product any safer.