Seeking the Root Causes of Cyber Insecurity, Part II – Browsers and Operating Systems

Second in a series of articles about the underlying factors that affect security posture

We recently conducted a survey of industry experts on the root causes of cyber risk exposure. The consensus is security flaws are often built into the systems that require protection. It’s usually accidental, but laziness and freedom from legal liability also contribute innate insecurity. The job of defending digital assets becomes difficult, if not impossible in some cases. Indeed, 82% of respondents rated inherent security problems as either a major or extremely serious factor affecting security.

Survey respondents cited browser design as a root cause of vulnerability. As Young-Sae Song of Menlo Security noted, “Browsers are able to download and run a wide range of programs that could be used as a launching point to penetrate a company’s defenses.” Yet, browsers are universal. They form the heart of the digital media ecosystem, the world of e-commerce and cloud computing. Unfortunately, as  Cybrary’s Milan Cetic pointed out, “Web browsing can execute code.”

“Browsers are able to download and run a wide range of programs that could be used as a launching point to penetrate a company’s defenses.” – Young-Sae Song of Menlo Security

The combination of the inherently insecure browser with standard operating systems (OS’s) leads to potentially devastating results. “Vulnerabilities are virtually ubiquitous, in everything from operating systems (windows/mac) to many off the shelf applications,” said Gary Roboff of The Santa Fe Group. He added, “It’s a constant race between actors who are determined to seek vulnerabilities and exploit them and those who are working every day to mitigate risk.”

“The same design concept that allow users to remotely log in to a server and run another program on it is precisely what gives attackers that capability.” – Ian Eyberg of NanoVMs 

Ian Eyberg of NanoVMs spoke to this issuing, commenting, “Operating systems in use today – namely Linux for server side applications, are inherently built around a multiple process multiple user model that was designed 50 years ago for the PDP-7. The same design concept that allow users to remotely log in to a server and run another program on it is precisely what gives attackers that capability.” He advocated deploying applications in isolated environments that have “no concept of users nor the ability to run other software in them other than the one that is running.”

Ambuj Kumar of Fortanix further put the matter into perspective, sharing that “infrastructure is far too complex to be secure. It includes so much software, from OS to driver to users to endpoints that inevitably something will be vulnerable. Unfortunately, if anything is insecure, everything is at risk.” His solution? He suggested decoupling security from infrastructure, remarking, “We need an approach that allows applications to run securely even if the infrastructure is compromised.”

“Unfortunately, if anything is insecure, everything is at risk.” – Ambuj Kumar of Fortanix 

“Modern operating systems like Windows are inherently flawed,” said Tal Zamir of Hysolate. He observed that “these operating systems have a huge monolithic codebase (e.g. according to Microsoft, in 2020, Windows has 5.7 million source code files, which means it has at least 100M lines of code!). Therefore, it is extremely hard to defend these operating systems from within these operating systems. It is impossible to protect this amount of code written by thousands of developers over the course of decades.”

“It is extremely hard to defend these operating systems from within these operating systems. It is impossible to protect this amount of code written by thousands of developers over the course of decades.” – Tal Zamir of Hysolate.

The difficulty, according to Zamir, stems from OS vendors’ need to support both legacy code (to keep the operating system backward compatible) and an evergreen flow of new features being released more rapidly than ever. “As a result,” he said, “attackers are able to find critical zero-day vulnerabilities on a weekly basis and defeating any OS-based security features or agents. These security mechanisms have the same privileges as malware that infected the operating system kernel, making these defensive tools fight a cat-and-mouse game with attackers.”

Stay tuned for more articles exploring the root causes of cyber risk.

Photo Credit: mattk1979 Flickr via Compfight cc