In the light of recent Kaspersky security issues I thought it useful to approach the subject of security companies trumpeting their own horns and crying foul once too many times.
To start with, I don’t think this issue really merits any more attention than usual. Kaspersky do anti-virus software, not intrusion prevention software, which is more useful for the type of attack foisted on Kaspersky’s website in recent weeks. Therefore they are no less at risk than anyone else, notwithstanding the fact that they have a reasonable anti-virus product.
The fact is that viruses are just a part of the ecosystem of issues that plague the daily workings of the smallest and largest networks on the planet. Other vectors include trojans, phishing, pharming, DOS attacks and social engineering. The Kaspersky attack involved sql injection, the attempt at injecting false/tampered data into a web site with a sql backend, with the aim of stealing data that is provided in answer to the original false request.
There are a number of reasons why sql injection is a favourite amongst attackers:
- poor programming practices mean that a large percentage of public facing websites with sql backends will have issues
- fast prototyping systems and high level programming languages make programmers lazy and abstracts the security paradigm to a point where it’s forgotten
- programming courses/certifications do not effectively put forward the security issues inherent in programming
- websites are not actively and properly checked for issues before being made live
- system administrators do not update web applications with known issues
The above is unforgivable under any circumstance yet it still happens on a daily basis – apparently statistics indicate that more than 50% of the Fortune 500 companies’ websites are vulnerable. Considering the resources these companies have, you can see why I use the word unforgivable. There are many products on the market which make the checking, of your systems, a doddle. There are also many products available which, if you are lazy ( or under-resourced as it may be ), will save and protect your bacon.
Yet every other day we hear news of another company’s database being depleted of thousands of customer records and credit card details. Why are these companies still allowed to trade?
But to get back to my original statement, we look towards security companies and consultants to give us the answers and a feeling of protection. Don’t be fooled though – there are many out there that would sooner pull the wool over your eyes than really care for your wellbeing. Looking at the standards-based testing of anti-virus packages for example, you would be confused when seeing some of the largest and best-known products on the market, at the bottom of the pack. As usual, the marketing department appears to have more say than the engineers.
So don’t let vendors fool you into thinking that security is easy or that their product is all you need. Security is something that needs to be deployed in layers ( defense in depth ), and it’s an area that requires constant attention. The wellbeing of your company relies on that.