Why Your Security Tools Are Exposing You to Added ...

Network Computing Dark Reading

Advertise

About Us

Newest First | Oldest First | Threaded View

[close this box]

100%

AlexMcG,
User Rank: Apprentice
3/3/2016 | 8:22:58 AM

Re: Agree, but...

Hi there! We tried pretty hard to make this not seem like scare mongering. Our point here is that defense tools have bugs and we're advising people to account for that. As with the rest of security there's no real magic solution. So what we purpose is dealing with it in context. Let's take the TrendMicro bug as an example and assume some fictional enterprise has it installed everywhere.

This bug was in an extraneous feature, I don't want an AV that runs its own webserver on my host. Our advice is choose an AV that doesn't do silly stuff like that. So lets assume we can disable all those extra features, now we're left with this big chunk of C/C++ that tries to parse every file type you've never heard of that regulation says we have to keep on our hosts. Ok, if I can't get rid of it I can at least make attacking it more expensive for common bug types in C/C++ with Microsoft's EMET. Though as we've seen recently thanks to FireEye there are ways around that for dedicated attackers but attackers have to spend a lot of time to find those. How do we then deal with an attacker who is willing to do that leg work? We monitor our hosts for surprising new binaries/DLLs as attackers typically want some type of persistence.

In following that advice we have: reduced our attack surface by turning off AV features we don't need, increased the cost to attackers to attack us via bugs in the core part of the AV engine, and increased the odds that if we are successfully compromised we'll know about it. That's pretty reasonable substantive advice for how to deal with vulnerabilities in your defensive tool chain. I hope that readers don't come away with the impression that all security software is bad, I hope they come away with the idea that NO complex software is without vulnerabilities and they need to plan accordingly.

Reply | Post Message | Messages List | Start a Board

50%

robep00,
User Rank: Apprentice
3/3/2016 | 7:39:26 AM

Re: Agree, but...

I agree with Dave and Alex in this article.

I don't think it's about scaremongering more then accepting a hard reality. A reality that is forcing changes in the approach to security as we are writing about it.

For example, file analysis could be performed off site instead of on the host like some anti-virus engines or security solutions are already doing. By limiting and making the security product as lightweight as possible, the increase in attack surface is minimal compared to the potential increase in security posture.

Reply | Post Message | Messages List | Start a Board

50%

Whoopty,
User Rank: Ninja
3/3/2016 | 7:01:24 AM

Agree, but...

As much as I agree with this post and it's important that people realise anti-virus is not a set-it-and-forget-it tool, this gives us a lot of concerns without much in the way of a meaningful solution. It smells like scaremongering.

The last thing we want is people thinking that it would be better to do without security software altogether.

Does anyone have a good solution to AV? Even if international alternatives are a bad idea, US and UK made security software is just as beholden to intelligence agencies there as the foreign alternatives are.

Reply | Post Message | Messages List | Start a Board

Hot Topics

Editors' Choice

How to Better Secure Your Microsoft 365 Environment

Kelly Sheridan, Staff Editor, Dark Reading, 1/25/2021

Many Cybersecurity Job Candidates Are Subpar, While On-the-Job Training Falls Short

Robert Lemos, Contributing Writer, 1/27/2021

Attackers Leave Stolen Credentials Searchable on Google

Kelly Sheridan, Staff Editor, Dark Reading, 1/21/2021

Webinars

What We Can Learn from Sports Analytics

Strategies for Success with Digital Transformation

Building the SOC of the Future: Next-Generation Security Operations

Webinar Archives

White Papers

A Technical Deep Dive on Software Exploits

Eliminate East-West Traffic Hair-Pinning

SANS 2021 Cyber Threat Intelligence Survey

2020 Gartner Market Guide for Network Detection & Response

Top Threats to Cloud Computing: The Egregious 11

More White Papers

Cartoon Contest

Write a Caption, Win an Amazon Gift Card! Click Here

Latest Comment: This comment is waiting for review by our moderators.

Cartoon Archive

Current Issue

2020: The Year in Security

Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.

Download This Issue!

Back Issues | Must Reads

Flash Poll

All Polls

Reports

Assessing Cybersecurity Risk in Today's Enterprises

COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.

Download Now!

The Malware Threat Landscape

0 comments

How Data Breaches Affect the Enterprise (2020)

0 comments

Building an Effective Cybersecurity Incident Response Team

0 comments

More Reports

Twitter Feed

Tweets about "from:DarkReading OR @DarkReading"

Bug Report

Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database

CVE-2020-25782
PUBLISHED: 2021-01-28

An issue was discovered on Accfly Wireless Security IR Camera 720P System with software versions v3.10.73 through v4.15.77. There is an unauthenticated stack-based buffer overflow in the function CNetClientManage::ServerIP_Proto_Set during incoming message handling.

CVE-2020-25783
PUBLISHED: 2021-01-28

An issue was discovered on Accfly Wireless Security IR Camera System 720P with software versions v3.10.73 through v4.15.77. There is an unauthenticated heap-based buffer overflow in the function CNetClientTalk::OprMsg during incoming message handling.

CVE-2020-25784
PUBLISHED: 2021-01-28

An issue was discovered on Accfly Wireless Security IR Camera System 720P with software versions v3.10.73 through v4.15.77. There is an unauthenticated stack-based buffer overflow in the function CNetClientGuard::SubOprMsg during incoming message handling.

CVE-2020-25785
PUBLISHED: 2021-01-28

CVE-2020-0237
PUBLISHED: 2021-01-28

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.

To save this item to your list of favorite Dark Reading content so you can find it later in your Profile page, click the "Save It" button next to the item.

If you found this interesting or useful, please use the links to the services below to share it with other readers. You will need a free account with each service to share an item via that service.
Tweet This
[close this box]