Despite the extensive bug and vulnerability testing carried out by software companies on their products, security flaws often still remain. If left undiscovered, these flaws can be found and exploited by hackers who then leverage them to launch attacks on businesses and consumers.
Thankfully though, security researchers are there to pick up some of the slack and find these vulnerabilities before they can be discovered by hackers. To learn more about what being a security researcher entails, TechRadar Pro spoke to security researcher at SafeBreach Labs (opens in new tab), Peleg Hadar.
- SafeBreach discloses major vulnerabilities in popular software
- Security flaw in Bitdefender Antivirus Free 2020 leaves millions at risk
- Intel Rapid Storage app bug lets malware evade AV
What are some key aspects of your role as a security researcher?
At the center of our work is searching for new security concepts and mechanisms that haven’t been attacked before. Fresh targets are more likely to contain bugs which can put users at risk. Generally, we try to be as creative as hackers, and a month or two ahead of them.
We hunt for new concepts which might be used to attack high-value targets and we seek ideas to mitigate these. To do this, a researcher needs to understand patterns of previous attacks and techniques, categorize them and use that knowledge to develop new mitigations for new attacks that are similar.
Of the 23 major security vulnerabilities you disclosed between June and December of last year, which was the most severe and has it been patched?
Tough question! They are all potentially severe, so it’s difficult to point to just one, but I believe that the vulnerabilities we found on antivirus products, and the ones that we found on major brand laptops (directly from their supply chains) would have the most impact as they impact millions of users.
Most software vendors we inform about vulnerabilities are fast to mitigate and patch. Users around the world need to be faster and more diligent to install updates and patches.
What are some of the common themes and root causes across vulnerabilities that allow attackers to execute malicious code?
It is surprising - except to hackers - how an easily fixed yet dangerous omission can lurk for years in numerous products from competing vendors. For example, we found several security tools that loaded and executed unsigned arbitrary files without further verification.
Currently, there is no operating system-wide policy on Windows to restrict this practice, so software developers must explicitly enforce it when they implement their code.
What are your thoughts on bug bounty programs, and do you think that all large companies should have one in place?
The idea of bounties is interesting, but from my experience they can actually slow the process of reporting vulnerabilities, because another team looks at the report before the original vendor sees it. It might not even be forwarded to the company as the initial third-party triage team can decide it’s not important enough. These cases might be dangerous and can leave vulnerabilities unpatched.
Why do you think that global software and hardware companies should have a highly visible public security policy?
Each tech vendor should assign effort and resources, including people, to handle external security reports about their products. Sometimes it’s really hard for researchers to know who they should inform about a serious flaw, because the right people are not identified.
We in the security research community try to inform vendors first, because we want security gaps fixed, so let’s cooperate and make the world a safer place.
What advice would you give to businesses trying to avoid falling victim to security vulnerabilities?
First and foremost, always keep your software and hardware up to date. I can’t say it enough; it’s really important and it’s the simplest, least expensive way to stop many attacks. Also, as an ongoing practice, challenge your security products and solutions, and validate them - attack them the way attackers will and do it on a continuous basis. Simply installing them is not enough.
Many security tools are misconfigured and drift over time. Continuous attack simulation can catch configuration errors. It’s also crucial to train employees and boost their awareness of cyber threats, and how to foil them. Humans are usually the weakest link in the security chain and often allow attackers to infiltrate the network through basic social engineering.
What cyber threats are currently on your radar for 2020?
I am confident we’ll continue to combat ransomware and spear phishing emails - attacks that use social engineering are very effective for attackers. Much of our focus will be on seeking new high-priority vulnerabilities and checking popular products.
- We've also highlighted the best antivirus software