fudsec.com

Showcasing Fear, Uncertainty and Doubt from the Information Security Industry 
« Back to blog
Viewed 3840 times
Favorited 0 times
October 23, 2009

Testing the Vendor Guarantees. Guaranteed Security….Just Show Us the Money!

Every now and then, a vendor makes a claim about their products or services that actually gets tested.  Not by a lab with a "representative" environment, but by Blackhats in a production environment.  Read on for just such a case...  My thanks to Drazen for delivering a fudsec sledgehammer :).

By Drazen Drazic

I’ve been waiting a while for a higher profile test case and it’s finally arrived.  

Integral Energy, one of Australia’s largest energy corporations has been in a spot of bother in recent times as reported here: 

http://www.smh.com.au/technology/security/sinister-integral-energy-virus-outbreak-a-threat-to-power-grid-20091001-gdrx.html 

If all reports are correct, the critical infrastructure organisation’s networks “are protected by a Symantec security solution”.  

Now going by my last correspondence with Symantec here, they guaranteed me that their product would provide “…..proactive protection against unknown and zero day threats”.  

Being slightly dubious of these claims, I asked for confirmation of the claims and was told by the Symantec representative; “I can confirm this statement is correct”.  

Now wanting to double and triple check that they stood by their claim, (being the cynic that I am), they then re-stated the claim, albeit slightly modified the next time, but with the end message the same; “This is one of the value statements of our product which we standby but I cannot personally guarantee that anything will not happen. If you configure and install the product correctly, then we will stand by this statement”.  

Now Integral Energy may have a claim here. But I wonder if Symantec can argue the case that they only provide “…..proactive protection against unknown and zero day threats” and this being an old piece of badware, means all guarantees are null and void ;-).

Loading mentions Retweet

Comments (9)

Oct 23, 2009
John Pirc said...
Interesting....do they protect against Advanced Persistent Threats? IMHO, not likely...excellent post....time to seperate the boys from the men ;-)
Oct 23, 2009
wgragido said...
Interesting post. Shame on them first and foremost for providing connectivity between their production and 'SCADA' environments... though not uncommon, it is alarming and should be treated as such. Virut was nasty and if memory serves me correctly it was a trojan-rookit hybrid...if they detected the rookit (if), they would have needed a sample to do so. As there is generally speaking, a low likelihood of detecting rootkits in the first place, things really get sticky when trying to remove them...depending how they were architected and to what degree this may not be possible with traditional vendor supported tools. Great post. Time for change.
Oct 24, 2009
Anonymous Coward said...
Their SCADA network is firewalled.
Oct 25, 2009
Drazen Drazic said...
From what I gather from contacts, some security practices could be better in this organisation given it is "critical infrastructure". Just what I have heard. They're not a client.

So will they test the guarantee? :)

Oct 25, 2009
Christian "xntrik" said...
Has anyone ever challenged the guarantee of their AV provider?
Oct 25, 2009
Drazen Drazic said...
Christian, I think it goes a little like this :)

1. Questionable marketing
2. Rope client in with the claims
3. Get client to then sign contract which covers up the "error of their ways" in the sales and marketing part of the deal. ie; Claims are no longer stood by and use this software at your own risk.

It would be interesting to know if anywhere in the world, the adverting/marketing approaches have been tested in court?

DD

Oct 25, 2009
Christian "xntrik" said...
Exactly!
Oct 29, 2009
wgragido said...
@Christian I think people challenge the guarantees made by providers routinely. Clients and customers will vote with their feet (e.g. move to another vendor provider etc.), if they deduce that their needs are not being met and they are not being treated in a manner they believe is commensurate with the value they perceive their investments should entitle them to. I don't necessarily believe that vendors intentionally leverage questionable marketing (having worked for vendors I think that at times it is an educational issue internally which needs to be overcome as marketing professionals, rarely if ever, are security professionals). Furthermore, I do not believe (or at least it hasn't been my experience), that it is standard practice by vendors to deceive current or prospective clients. I think it is a two way street: vendors need to be held accountable and the only way to do that is to exhaustively inspect what you expect!

With regards to the contractual verbiage, any vendor worth their salt will do back flips to retain their footholds in their clients. It's in their best interests to do so given that revenue (especially true of AV vendors), is dependent upon subscription. I have seen amazing lengths gone to by sales professionals and teams on behalf of their clients. At times, I think that consumers (whether they be my mom and dad or a large multi-national conglomerate), simply do not perform due diligence and as a result some can and are never satisfied. BTW, I fall into this category at times as well; I think we all do. It's instinctive that we desire expect much value for our investment...whether the investment is a plasma TV or an enterprise grade firewall...

Oct 29, 2009
wgragido said...
If they don't they should...

Leave a comment...

 
Got an account with one of these? Login here, or just enter your comment below.
Posterous-login    twitter