As a recent hack against one vendor shows, IT security firms face the same challenges with protecting data as every other company. 

But of course, when security firms aren’t secure, that can have big implications for the security of other organizations.

Here’s what happened:

Hackers recently broke into the network of Bit9, a vendor that sells an application white-listing service so companies can make sure they’re only installing software that has been certified as secure.

You can probably guess where the story goes from here — the hackers stole a digital certificate and used it to sign malicious software. Bit9 informed a few customers that they had been infected with malware (as far as the company knows, just three organizations were infected).

The cause of the breach? Bit9 failed to install its own product on some machines, allowing attackers to access the network, the IT security vendor said in a blog post.

This isn’t the first time an IT security vendor has had security problems of its own. Late last year, some vulnerabilities were discovered in anitivirus software from Sophos that may have put customers’ systems at risk.

Where to invest in IT security?

Those incidents raise two important issues for IT and Finance departments. The first is that part of a company’s IT security plan should involve all applications on the network — and that includes security tools. Experts have warned companies that security applications can be vulnerable just like any other software. They recommend companies:

1. Include security infrastructure in the scope of your penetration testing
2. Monitor device behavior
3. Reduce the chances of attack by disabling unnecessary features
4. When possible, test the security of tools before you buy them and factor security into buying decisions, and
5. Review security advisories closely and patch immediately, as you would with any other software.

The second point is that companies can’t rely on one form of protection alone, whether that’s application white-listing, antivirus software, firewalls, etc. For an effective IT security program companies need to invest in a multi-layered approach, using tools such as:

• Encryption specific drives and folders that contain sensitive data
• Limitations on employees’ access rights, and
• Networking so that an intruder into one area doesn’t have access to all the data stored throughout the company.

Tags: hacked, security tools, vendors