Cybersecurity experts called for companies including Kaseya—the remote computer management software provider whose customers were exposed in a major ransomware attack this past weekend—to stop encouraging users to take security shortcuts.
In the attack, hackers affiliated with the REvil group, known for demanding $11 million from meatpacker JBS in an earlier attack, infected thousands of victims’ computers around the world through remote managers of local business IT systems, demanding a total ransom of $70 million.
Experts say malicious hacks like these can be aided by widespread use of security shortcuts that are encouraged by some software service providers. Kaseya, a provider of remote software updates and other services to between 800,000 and 1 million end-users, instructs customers to disable antivirus and other security applications’ ability to scrutinize and possibly raise alarms about Kaseya’s trusted software updates. That practice, experts say, weakens a layer of protection designed to detect suspicious code such as REvil’s.
“As a security professional, any software that recommends I disable my security software right away generates red flags in my mind and gives me a queasy feeling in my gizzard,” said Richard Forno, assistant director of the Center for Cybersecurity at the University of Maryland, Baltimore County.
Forno says the increasing popularity of “software as a service,” or SaaS, means customers are potentially admitting a constant stream of unchecked data into their computers without stopping to check whether it’s problematic.
A Kaseya spokeswoman said that the company responded rapidly to protect customers following the attack. “Kaseya was designed and built with security as the fundamental building block to its core architecture,” she said in an email. “There is no evidence to support the claim that users were made vulnerable due to Kaseya’s antivirus and firewall policies.”
While there is no evidence that Kaseya’s policy helped REvil target customers, cybersecurity software providers such as Cisco, Symantec, and operating system provider Blackberry, contend their security products would have blocked the attack.
Cisco security specialist Craig Williams says Cisco and other companies don’t ask users to disable security software, even though this is more difficult and costly than simply encouraging users to stop their machine from scanning for malicious code from certain providers. “It’s really taking advantage of holes in vulnerability if software does not adhere to best practices in terms of security,” he said.
The practice of disabling antivirus software for data from specified providers is common enough that Microsoft publishes instructions for Windows users to disable security features for trusted file types, or processes, so that an antivirus program won’t block, or alert the user about, code interpreted as malicious. However,
also warns its customers that this practice could expose their computer to hackers.
A problem for investors is that companies don’t have proper incentives for preventing attacks. Herb Lin, cyber policy and security scholar at Stanford University’s Hoover Institution, said companies spend too much energy avoiding responsibility for attacks, rather than preventing them. As a result, manufacturers don’t take responsibility for fully protecting themselves from security breaches, he said.
Kaseya’s end-user agreement largely absolves it of breaches that compromise customers’ data unless there was gross negligence or misconduct.
A Kaseya spokeswoman said in an email that their agreement’s language is “standard for our industry.”
According to Lin, widespread use of such agreements is precisely the problem.
“Companies go out of their way to say we’re not liable for any consequences of this type of attack,” he said, pointing to user agreements pre-emptively absolving themselves of responsibility, and seemingly catastrophic events without lasting harm to companies’ stock prices.
Parham Eftekhari, executive director of the Washington, D.C., cybersecurity think tank Institute for Critical Infrastructure Technology, thinks companies need to be held accountable for their security lapses and should ideally follow a strategy known as “zero trust,” where every contact with an organization’s network is rigorously checked for malicious code.
“[C]ompanies who manufacture technology ultimately should be held liable, and I think that end-user agreements right now are slanted too far in favor of corporations,” he said. “The world is built around insecure technology. We’re just going to continue to see huge incident after huge incident.”
Write to email@example.com