Symantec was the victim of an attack where its source code for most major products protecting consumers and enterprises around the world was breached. This attack occurred in 2006 and the source code has been available to parties to leverage for attacking businesses, individuals, and governments since that time. Recently, by the accounts recorded so far, Anonymous gained access to this stolen source code and is now threatening to release it – either generally or for a fee to those who would find value in it.
The result of this has lead Symantec to state in their Security recommendations whitepaper to uninstall or disable the PC Anywhere application. This is a critical application for most, so such a recommendation is quite difficult.
There are a number of issues and risks that arise here that will likely be an ongoing list:
- The source code was lost in 2006, so one can infer that this attack vector and every install was at risk to this attack for the past 6 years
- The presence of source code being released does not in itself create an attack vector – example is how public cryptography is tested openly and the immense use of Open Source software. In this case though, the release progressively escalated the risk from “increased risk” to “uninstall” now risk
- Other major enterprise security applications were also stolen, do the same risks exist and are forth coming?
Symantec is an important security provider, as their systems are installed on a 100+ million end points globally and their PC Anywhere solution provides direct access to global companies.
Given the velocity of updates related to Symantec’s breach, I would offer for discussion the following takeaways:
- There is no silver bullet to be secure and solve this single breach issue in the customer’s of Symantec, so a process must be established
- Review the activity of your firewalls, behavioral analysis systems, and such systems to determine if you have been attacked through this attack vector … over the past 6 years (deep analysis of the Symantec application is in order – the “authorized and approved” connections activities, not just the failed attempts)
- Focus on your programs of complicating the intruder to your system – a great case here … if a malicious user had access to your network what could be done. This question should provide a substantial return in minimizing this type of breach of trust in the security model. Similar cases should include Microsoft remote tools, operating system, and other infrastructure high install base applications.
Below are references to the article, paper, and Symantec’s update page.
- Here is an article on the recommendation to remove PC Anywhere from Computer World
- Here is the whitepaper referenced in the article with additional tips (PDF)
- Here is Symantec’s update on patching the applications.
This impacts all secure environments – PCI and other systems that are depended upon. Perhaps the attack is not intended to modify or damage a system, but for corporate espionage and such. Strong practices and a aggressive risk assessment review cycle is in order – such as ISO 27001 ISMS (done correctly and maturely).