Should You Put All Your Eggs in One Firewall? The Perils of Blind Trust in Cybersecurity Vendors
Tracing the arc of cybersecurity, from the days of rudimentary antivirus software to today’s advanced AI-driven defences, it’s clear that protecting our digital world has never been more critical. In many ways, strong cyber defences have become the backbone of a secure digital world.
However, a recent disclosure of critical flaws on Fortinet, a cybersecurity industry leader, which may have been exploited in the wild, raises a chilling question: What happens when the guardians themselves become the target?
When Cybersecurity Becomes a Liability
In 2022 and 2023, hackers believed to be linked to China exploited a zero-day vulnerability in Fortinet’s FortiGate firewalls, a cornerstone security product for countless organisations. This breach compromised at least 20,000 devices, primarily targeting Western governments, defence contractors, and international organisations. The Fortinet incident exposes a terrifying domino effect—a breach at a cybersecurity company can leave its clients vulnerable and scrambling to patch their exposed systems.
Perhaps the most concerning example comes from the 2020 SolarWinds supply chain attack. This attack came to light after FireEye, a prominent cybersecurity firm known for its threat intelligence capabilities, identified a sophisticated intrusion within its own systems. FireEye’s investigation uncovered malicious code hidden within a software update they received from SolarWinds, a widely used network management tool provider. Apparently, hackers had infiltrated SolarWinds and injected this code, compromising the update and unknowingly impacting numerous organisations that relied on SolarWinds software.
The SolarWinds attack showcased the interconnectedness of the technology landscape and the potential for a single breach to have far-reaching consequences. It also opened the world’s eyes to the vulnerability of even cybersecurity companies, which can become targets themselves and serve as unwitting entry points for attackers.
These incidents clearly show that no security solution is foolproof. So, how can businesses navigate this ever-evolving threat landscape and ensure their defences remain strong, even when the trusted solutions they rely on might be vulnerable?
Building Defences Beyond Vendor Trust
According to Kelvin Lim, Senior Director and Head of Security Engineering, APAC, at Synopsys Software Integrity Group, there are valuable practices that businesses and consumers can adopt to minimise their exposure to security breaches, even when trusted security vendors are affected.
First and foremost, Kelvin advises purchasing IT products and solutions from trusted vendors recognised in national certifications, such as the Cyber Security Agency of Singapore’s Cybersecurity Labelling Scheme (CLS). This can help organisations identify products with robust cybersecurity provisions and enable more informed decision-making.
However, Kelvin notes that “it is not uncommon for IT solutions to have bugs.” To mitigate risks, businesses and consumers should proactively update their IT products and solutions when vendors release security fixes. Staying current with updates ensures that known vulnerabilities are promptly addressed.
Implementing a defence-in-depth strategy is also crucial. “Defence in depth is a strategy that employs multiple security approaches to protect an organisation’s assets,” Kelvin explains. By having multiple layers of defence, organisations can ensure that if one line of defence is compromised, additional layers will act as backups to neutralise threats. This approach addresses security flaws in hardware, software, and human factors, as ignorance or human error are often sources of breaches.
As part of these “layers,” businesses should consider implementing security solutions from multiple vendors. For instance, deploying two firewalls from different manufacturers can provide an extra layer of protection. If a security bug compromises the first firewall, the second firewall from a different manufacturer may not share the same vulnerability.
Last but not least, Kelvin emphasises the importance of continuously monitoring security conditions. This way, he elaborates, “organisations can identify and address security breaches or vulnerabilities before they are exploited by continually monitoring applications, systems, and network activities.”
Kelvin believes these practices can help businesses and consumers bolster their defences and maintain resilience, even when their most trusted security partners are breached or compromised.
Limiting the Blast Radius
“All companies, even those selling security software, have a supply chain that could involve hundreds of partners, and just as many, if not more, open-source software libraries,” says Robin Doherty, Business Information Security Officer, APAC at Thoughtworks. This interconnectedness means vulnerabilities in one part of the supply chain can affect many others.
While Robin acknowledges that breaches are not a matter of if, but when, in the case of a supply chain compromise, he stresses the importance of limiting the “blast radius.” This involves regular practice in managing smaller incidents and conducting tabletop exercises with fictitious scenarios. “The practice should not be limited to the security team alone – in a vendor breach scenario, everyone from the executive leadership team to lawyers to the HR team could get involved,” he advises. Regular incident response drills help identify and address problems before they escalate.
When a security incident occurs, it’s crucial to activate the incident response team to follow the predefined plan, quickly rotate credentials, and decommission, patch, or reconfigure systems as necessary. Companies should also enhance their security monitoring to detect potential intrusions early on.
Robin notes that security tools often have broad privileges within an organisation and should be managed with the highest level of scrutiny. While most security partners will have basic certifications like ISO 27001 and SOC 2, it’s vital to seek additional information to assess their internal security practices thoroughly. Building strong relationships with partners and holding them accountable is essential for effective security management.
“Information flow can be sporadic when security incidents do happen, which means companies should not be completely dependent on their security partners,” Robin warns. Organisations must be prepared to disconnect partners from their networks and investigate impacted systems using their own security tools.
Remember, Who Guards the Guardians?
We tend to believe that cybersecurity companies are the most capable of defending against cyber threats, as it is the core of their business. This trust is well-placed, but we must remember the age-old question: Who guards the guardians?
In today’s era of highly sophisticated attacks, it is not surprising that some attempts to compromise these vigilant defenders will succeed, with potentially catastrophic results. It is crucial for companies to keep this in mind and to apply the steps discussed in this article to enhance their own security measures. By doing so, if a breach does occur, they can stay protected and at the very least minimise its impact.
