(In)Security in Security ProductsWho do you turn to when your security product becomes agateway for attackers?            ...
About the report• Security Products are present in most of the systems and theoretically can  become a “high pay-off” targ...
How are security vendors doing in terms of           protecting their own products?   According to our “(In)Security in Se...
Vulnerabilities in Security Products• Man in the Middle (MITM) vulnerability in Symantec Backup Exec 12.1• Remote Code Exe...
6
7
8
Vulnerabilities by Security Companies                                 Vulnerabilities by Vendors     ClamAVKaspersky Lab  ...
Vulnerabilities in Security Products                                Vulnerabilities in Security Products               F-S...
11
ConclusionThe two largest threats to security product vendors/developers are :-• The Black 0-Day Market• Cyber Warfare   V...
Some thoughts..• Security companies do not necessarily produce secure software• Security products can itself serve as a do...
• Are you sure if your web-application is Secure?• Check out our Cloud based Penetration Testing solution with “Zero False...
Upcoming SlideShare
Loading in …5
×

Insecurity in security products v1.5

384 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
384
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Should be “Cloud-based”, not “On Demand”
  • Insecurity in security products v1.5

    1. 1. (In)Security in Security ProductsWho do you turn to when your security product becomes agateway for attackers? 1
    2. 2. About the report• Security Products are present in most of the systems and theoretically can become a “high pay-off” target for hackers after the OS, Browsers etc.• At iViZ we wanted to study how secure are the security products• iViZ used databases such as the Common Vulnerability Enumeration (CVE), Common Product Enumeration (CPE) and Nation Vulnerability Database (NVD) for the Analysis www.ivizsecurity.com 2
    3. 3. How are security vendors doing in terms of protecting their own products? According to our “(In)Security in Security Products” report,• More recently, hackers have claimed to be in possession of the source code for Symantecs PC anywhere tool and Norton antivirus. www.ivizsecurity.com 3
    4. 4. Vulnerabilities in Security Products• Man in the Middle (MITM) vulnerability in Symantec Backup Exec 12.1• Remote Code Execution via buffer overflows vulnerability in Symantec Veritas Enterprise Administrator products• Encryption bypass of major disk encryption software’s including Microsoft Bit locker, True Crypt and MacAfee Safe Boot Device• Remote code execution vulnerabilities in various anti-virus products including AVG, F-Secure, Sophos and ClaimAV etc For Details: http://www.ivizsecurity.com/security-advisory1.html www.ivizsecurity.com 4
    5. 5. 6
    6. 6. 7
    7. 7. 8
    8. 8. Vulnerabilities by Security Companies Vulnerabilities by Vendors ClamAVKaspersky Lab Cisco Trend Micro Symantec McAfee ISS Checkpoint CA 0 200 400 600 800 1000 1200 www.ivizsecurity.com 9
    9. 9. Vulnerabilities in Security Products Vulnerabilities in Security Products F-Secure Anti-virus Cisco PIX Firewall Figure 6: Shows number of Sophos Anti-virus vulnerabilities found in Cisco Adaptivesecurity Appliance some of the major security products existing today. X Kaspersky Anti-virus axis display number of vulnerabilities and Y axis ClamAV Anti-virus display some of the major security products. Total Trend Micro Officescan vulnerabilities against each AVG AntiVirus security product are calculated by considering Norton Personal Firewall all the versions of the products and their Norton AntriVirus individual vulnerabilities Checkpoint Firewall-1 discovered over the past years.Symentec Norton Internet Security McAfee Anti Virus 0 10 20 30 40 50 60 70 80 www.ivizsecurity.com 10
    10. 10. 11
    11. 11. ConclusionThe two largest threats to security product vendors/developers are :-• The Black 0-Day Market• Cyber Warfare Vulnerabilities are as common in security products as they are in non – security products. As per the Global Risk 2012 report, the cost of each cyber crime is 5.9 million USD and likely to grow. There is no foolproof solution to mitigate Cyber Warfare Attacks, but we can take suitable measures to ensure security is itself more secure in the future. www.ivizsecurity.com 12
    12. 12. Some thoughts..• Security companies do not necessarily produce secure software• Security products can itself serve as a door for a hacker• Security Products are “High Pay-off” targets since they are present in most systems• APT and Cyber-warfare makes “Security Products” as the next choice www.ivizsecurity.com 13
    13. 13. • Are you sure if your web-application is Secure?• Check out our Cloud based Penetration Testing solution with “Zero False Positive Guarantee” : www.ivizsecurity.com Bikash Barai CEO, Co – founder of iViZ Blog: http://bikashbarai.blogspot.in Linkedin: http://www.linkedin.com/pub/bikash-barai/0/7a4/669 Twitter: https://twitter.com/bikashbarai1 Thank you 14

    ×