Commercially available IT software products, services and devices commonly referred to as COTS(commercial off-the-shelf), have become a part and parcel of an organization's IT environment. Many financial, government and to some extent military systems also use these products in their IT environments. There have been incidents of backdoors being discovered in some of the commercial products purchased from reputed vendors. For instance, the backdoor uncovered in Juniper firewalls last month which allows remote attackers complete control over the device has highlighted the need to consider the risks posed from such backdoors.
The what, how and who of backdoors
A backdoor is an alternate and secret method of bypassing the access control mechanism of a system, software or algorithm. Most backdoors are embedded in the software’s program logic; at the Operating System or still lower down at the BIOS level. For the organization, the purchased product is like a black box with the IT team having very little understanding of what lies underneath the shiny piece of equipment or software interface. Security researchers widely believe that most backdoors are planted by state agencies to snoop on communications and gather intelligence.
As few notable instances of vendors being barred from doing business for suspected backdoors in their products are Huawei and ZTE . Both the Chinese tech companies are banned from bidding for U.S government contracts .The Edward Snowden revelations has exposed how the US NSA had placed backdoors on Cisco products shipped overseas. Additionally there is a proposal from the Obama administration to legalise encryption backdoors in technology products so that authorities can access encrypted data. This proposal if passed into a law could have serious ramifications on an individual’s privacy and security.
- Lack of access to source code - Vendors do not share the source code, design artefacts or technical documentation since all are considered proprietary. In the case of the Juniper firewall, the backdoor was reportedly found during an internal code review by Juniper itself.
- Lack of awareness - Many organizations are either unaware or have not considered the risks of backdoors in their IT infrastructure. As a result, it leaves the organization unprepared to deal with any incidents arising out of related breaches.
- Limited legal liability for vendors - Most organizations have very little legal protection in case a backdoor was found planted in a vendor product since most user agreements absolve the vendor of any direct or consequential liability.
Following are some of the suggested best practices and countermeasures to mitigate the risks of backdoors in your IT Infrastructure.
- Security in diversity - The possibility of using products from multiple vendors in your IT environment needs to be explored. Under certain scenarios this could mitigate the risks of backdoors in a specific vendor product by providing defence in depth. For instance, in a n-tier firewall architecture, consider using firewalls from diverse vendors at each tier boundary. The downside could be the interoperability and integration issues faced by the operations team in addition to the skill sets required to run the IT operations.
- If you own it, you can secure it - It is imperative that critical infrastructure of national importance needs to run on platforms where the source code is available for audit, analysis and hardening . e.g. Sensitive government organisations and military systems in China run on Kylin OS - a secure home grown version of Unix BSD. This option however, may not be feasible for many commercial organizations based on a simple cost-benefit analysis.
- Getting the product certified by an independent third party or agency - This would provide some level of assurance about the security of the product being used and help the management with accreditation.
- Logging & incident response - Integrating logs from critical systems with a product having an automated log analysis and response capabilities could help to detect possible anomalies caused by someone trying to access a backdoor.
- Regular patches & updates from vendors - Vendors would issue an advisory, hot fix or patches for any backdoor or vulnerability discovered in their products. Immediate action is expected from the IT operations team in applying the fixes and patches and following the instructions mentioned in the advisories.
- Engaging with Security research and end user community - Keeping abreast with the latest security exploits, news and subscribing to user forums of vendors may provide insights into possible anomalies or backdoors in your environment.
- Cyber insurance - Organisations should consider having a cyber insurance policy to protect against any potential damages caused by unauthorized entities exploiting the backdoor in their systems.
The instances of backdoors being found in commercial products are on the rise. The risks posed by the continued use of such products in an organization’s IT environment needs be considered by CXOs as part of their organization’s overall Enterprise risk management strategy.
Glenn Greenwald, 2014. No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State. Edition. Metropolitan Books.
Doug Young . 2013. Huawei, ZTE Banned From Selling to U.S. Government. [ONLINE] Available at:http://techonomy.com/2013/04/huawei-zte-banned-from-selling-to-u-s-government/.
KIM ZETTER . 2015. Secret Code Found in Juniper’s Firewalls Shows Risk of Government Backdoors. [ONLINE] Available at: http://www.wired.com/2015/12/juniper-networks-hidden-backdoors-show-the-risk-of-government-backdoors/
Iain Thomson. 2013. Snowden leak: Microsoft added Outlook.com backdoor for Feds. [ONLINE] Available at: http://www.theregister.co.uk/2013/07/11/snowden_leak_shows_microsoft_added_outlookencryption_backdoor_for_feds/.
Authored by Suhas Bhat