Taking things for granted

Publish date:

Apple is often criticised on how they try to control what happens to their products. But one company has been strictly controlling what happens to its products for much longer: Microsoft. Microsoft keeps very strict control on what gets delivered via its Windows Update Service. I can’t recall serious issues and because of this, people […]

Apple is often criticised on how they try to control what happens to their products. But one company has been strictly controlling what happens to its products for much longer: Microsoft. Microsoft keeps very strict control on what gets delivered via its Windows Update Service. I can’t recall serious issues and because of this, people have put a lot of trust in the software that comes via this channel.
As most of what is distributed comes directly Microsoft, they know pretty well what is passed on via Windows Update. But there is an exception with driver updates. Windows Update Services is also being used to push device drivers for 3rd party hardware. In that case Microsoft offers the driver via the Update Catalog. So from an end-user perspective, a newly acquired device is plug-and-play, while under the hood a driver is downloaded and installed. So far, Microsoft did good quality control job here.
Two weeks ago, malware was delivered by means of a driver for the Energizer Duo USB driver. This driver caused a stir almost a year ago when the driver was found to contain a backdoor. Somehow Microsoft has published a driver for this same device, again containing malware according to Eset.
The problem is not just this one event. Taking into consideration the role a rogue device driver played in last year’s game changer for cyberwar (Sorry I need to bring Stuxnet into this), it’s clear we need to rethink the trust we have been putting into things which we thought are a given. Microsoft is not evil, but even Microsoft can’t control everything that happens on their behalf. The same goes for other reputable parties.
So what is the message here? Think twice next time you make a decision based on reputation when dealing with security. In the struggle to give us a comfortable user experience, under the hood computing becomes ever more complex (and the bad guys figured this out long ago). Think holistic and assume a hostile environment.
After some guest postings, Maarten Oosterink is now added to the resident team of authors. As managing consultant on Security, Risk and Compliance and thought leader on Critical Infrastructure Protection, he’ll be posting on topics close to his ‘turf’.

Related Posts

Cybersecurity

Is your Operational Technology (OT) environment insider safe?

Dan Leyman
Date icon September 8, 2020

Organizations need to exercise due diligence and care to ensure their vendors, contractors,...

Cybersecurity

Unlocking the power of AI and SOAR for end-to-end cybersecurity

Geert van der Linden
Date icon September 3, 2020

For AI to work effectively, organizations need to build a roadmap that addresses...

Cybersecurity

Identity access management (IAM) – the new normal

Dino Karanikas
Date icon August 27, 2020

Having an upgraded IAM plan in place will not only let you sleep better at night; it will...