(In)Security in Security Products

Who do you turn to when your security product becomes a gateway for attackers?

About the report

Security Products are present in most of the systems and theoretically can become a high pay-off target for hackers after the OS, Browsers etc. At iViZ we wanted to study how secure are the security products iViZ used databases such as the Common Vulnerability Enumeration (CVE), Common Product Enumeration (CPE) and Nation Vulnerability Database (NVD) for the Analysis

www.ivizsecurity.com

How are security vendors doing in terms of protecting their own products?

According to our (In)Security in Security Products report,

More recently, hackers have claimed to be in possession of the source code for Symantec's PC anywhere tool and Norton antivirus.

www.ivizsecurity.com

Vulnerabilities in Security Products

Man in the Middle (MITM) vulnerability in Symantec Backup Exec 12.1 Remote Code Execution via buffer overflows vulnerability in Symantec Veritas Enterprise Administrator products Encryption bypass of major disk encryption softwares including Microsoft Bit locker, True Crypt and MacAfee Safe Boot Device Remote code execution vulnerabilities in various anti-virus products including AVG, F-Secure, Sophos and ClaimAV etc For Details: http://www.ivizsecurity.com/security-advisory1.html

www.ivizsecurity.com

Security Product Vulnerability Trends

Vulnerability Trend in Security Products

300 250 200 150 100 50 0 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011

Vulnerability Trend in All Products

7000 6000 5000 4000 3000

2000
1000 0 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011

www.ivizsecurity.com

Most Vulnerable Security Product Categories

Figure 2
VPN

IDS/IPS

Firewall

Anti-Virus

Others 0 100 200 300 400 500 600 700

www.ivizsecurity.com

Vulnerabilities by Security Products

Vulnerabilities in Security Products
F-Secure Anti-virus Cisco PIX Firewall Sophos Anti-virus Cisco Adaptivesecurity Appliance Kaspersky Anti-virus ClamAV Anti-virus Trend Micro Officescan AVG AntiVirus Norton Personal Firewall Norton AntriVirus Checkpoint Firewall-1 Symentec Norton Internet Security McAfee Anti Virus

10

20

30

40

50

60

70

80

www.ivizsecurity.com

Vulnerabilities by Security Companies

Vulnerabilities by Vendors
ClamAV Kaspersky Lab Cisco Trend Micro Symantec McAfee ISS Checkpoint CA 0 200 400 600 800 1000 1200

www.ivizsecurity.com

Vulnerabilities in Security Products

Vulnerabilities in Security Products
F-Secure Anti-virus Cisco PIX Firewall Sophos Anti-virus Cisco Adaptivesecurity Appliance Kaspersky Anti-virus ClamAV Anti-virus Trend Micro Officescan AVG AntiVirus Norton Personal Firewall Norton AntriVirus Checkpoint Firewall-1 Symentec Norton Internet Security McAfee Anti Virus 0 10 20 30 40 50 60 70 80

Figure 6: Shows number of vulnerabilities found in some of the major security products existing today. X axis display number of vulnerabilities and Y axis display some of the major security products. Total vulnerabilities against each security product are calculated by considering all the versions of the products and their individual vulnerabilities discovered over the past years.

www.ivizsecurity.com

10

Type of Vulnerabilities in Security Products vs General Products

All Products Security Products

1% 1% 1% 1% 3% 4% 5% 6% 6% 7% 14% 15% 2% 1% 1% 0% 15%

SQL Injection 0% XSS Buffer Errors Access Control Input Validation Code Injection Resource Management Errors Path Traversal 13% 11% 4% Information Leak Numeric Errors Authentication Issues 19% 3% 4% 5% 0% 1% 2% 1% 2% 5% 10% 0%

SQL Injection XSS Buffer Errors Access Control Input Validation 19% Code Injection Resource Management Errors Path Traversal Information Leak Numeric Errors Authentication Issues

2%

1%

8%

9%

www.ivizsecurity.com

11

Conclusion

The two largest threats to security product vendors/developers are : The Black 0-Day Market Cyber Warfare

Vulnerabilities are as common in security products as they are in non security products. As per the Global Risk 2012 report, the cost of each cyber crime is 5.9 million USD and likely to grow. There is no foolproof solution to mitigate Cyber Warfare Attacks, but we can take suitable measures to ensure security is itself more secure in the future.

www.ivizsecurity.com

12

Some thoughts..

Security companies do not necessarily produce secure software

Security products can itself serve as a door for a hacker

Security Products are High Pay-off targets since they are present in most systems
APT and Cyber-warfare makes Security Products as the next choice

www.ivizsecurity.com

13

 Are you sure if your web-application is Secure? Check out our Cloud based Penetration Testing solution with Zero False Positive Guarantee : www.ivizsecurity.com

Bikash Barai CEO, Co founder of iViZ

Blog: http://bikashbarai.blogspot.in Linkedin: http://www.linkedin.com/pub/bikash-barai/0/7a4/669 Twitter: https://twitter.com/bikashbarai1

Thank you
14