Windows Insider

Who's Watching the Watchers? It Better Be You

As the threat landscape gets more complicated, one possible solution seems obvious: Deploy more third-party security software. But what happens when those programs turn out to be part of the problem?

Quis custodiet ipsos custodes? If, like me, you didn't pay attention in some of those dry college classes, you might not recognize this Latin phrase. It literally translates to "Who will guard the guards themselves?" or, sometimes, "Who watches the watchers?" And it should be on the mind of every IT pro who manages a Windows network.

As the threat landscape gets more complicated, one possible solution seems obvious: Deploy more third-party security software. But what happens when those programs turn out to be part of the problem? Who watches the watchers?

This isn't theoretical. IT pros have historically treated third-party antivirus software and related security solutions as a given. The problem is, each new piece of software you install actually increases your attack surface -- the number of entry points of intrusions into your network.

Consider the case of Symantec's security software, which includes the popular Norton brand of antivirus products. The U.S. Computer Emergency Readiness Team (US-CERT), which is the division of the U.S. Department of Homeland Security that monitors threats to online infrastructure, issued a stern warning in 2016 affecting 24 Symantec products. Some of the vulnerabilities "require no user interaction and are network-aware, which could result in a wormable event."

If you think you can dodge those issues by choosing a different platform, think again. The US-CERT warning says: "The large number of products affected (24 products), across multiple platforms (OS X, Windows and Linux), and the severity of these vulnerabilities (remote code execution at root or SYSTEM privilege) make this a very serious event."

There's no indication that malicious actors were able to exploit those vulnerabilities, thankfully.

Of course, if you can't exploit flaws in someone else's software, you could always distribute malware directly through a security company's servers. That, incredibly, is what happened to customers of the popular CCleaner utility. For nearly a month, from Aug. 15 to Sept. 12, 2017, anyone who downloaded the CCleaner app got a free bonus: a piece of malware capable of collecting information and downloading additional malicious software.

More than 2 million people reportedly installed compromised copies of CCleaner, which were downloaded from official servers and were signed with the legitimate digital certificates from the developer. The product had been acquired only one month earlier by Czech-based Avast Software, which has the world's largest share in antivirus software.

Another Avast acquisition, AVG Technologies, had previously been accused of bundling adware with its flagship antivirus product and selling user data to advertisers.

Then, of course, there's AO Kaspersky Lab, whose antivirus products and security software have been banned by the U.S. government because of "ties between certain Kaspersky officials and Russian intelligence."

Microsoft isn't immune, either. In early 2017, the company patched a serious vulnerability in the malware protection engine used in every supported version of Microsoft's flagship OS, including Windows 10 and Windows Server 2016.

So far, at least, no reports of large-scale data theft or financial loss from a problem with security software have surfaced. But it's probably just a matter of time before an attacker is successful at exploiting a new, still-undiscovered flaw.

If this punctures the illusion that security software is the primary line of defense against cyberattacks, then maybe all this bad news will have a good effect. My recommendations:

  • Use a multi-layered security strategy. If you can neutralize malicious e-mail attachments and block dangerous Web sites before they reach your users' desktops, you've eliminated the most common vectors for malware.
  • Establishing robust processes to detect intrusions and monitor suspicious behavior is more important than ever. Spotting an attack early limits the ability of attackers to get what they came for.
  • Have a remediation plan. If a determined and skilled attacker gets through your defenses, being able to recover quickly can dramatically cut your losses.

Who watches the watchers? In the final analysis, that job is up to you.

About the Author

Ed Bott is a Microsoft MVP and an award-winning tech journalist who has covered Microsoft for 25 years. He's written numerous books on Windows and Office, including the best-selling "Inside Out" series from Microsoft Press. Bott delivers outspoken advice on a wide range of technology topics at his ZDNet blog, "The Ed Bott Report."


comments powered by Disqus

Subscribe on YouTube