This CISA Analysis Report is scary.
This morning I woke up to an email from CISA. CISA is the Cybersecurity & Infrastructure Security Agency, a government agency. Their mission (in their words) is to "lead the national effort to understand, manage, and reduce risk to our cyber and physical infrastructure".
Most of the work the CISA does is above my pay grade. CISA is working with government and industry to protect things like power generation sub stations, water treatment plants and communication systems. They work with fortune 500 companies to secure critical network infrastructure. So in general their focus is not the SMBs I support although they do provide useful resources for businesses of all sizes.
I am subscribed to one of CISA's mailing lists, so I regularly get emails from CISA detailing a list of vulnerabilities. The emails are mostly technical, dry and boring. A typical email lists out a bunch minor vulnerabilities in software none of my clients use.
The email I received this morning was different.
Barracuda is a big player in cybersecurity solutions. They have been around for a long time. Twenty years ago when I directly managed email servers we used tools from companies like Barracuda to shield and protect our email servers.
So why do I think this is a big deal?
First, because Barracuda is a trusted provider of cybersecurity solutions. Their products are used in significant organizations.
As a system & network administrator there is a level of trust and peace of mind when using products from vendors like Barracuda, SonicWall, Cisco, etc. I typically do not recommend these products to my clients, but I do support them and when I do there is a certain peace of mind to be had:
- Company X is a major company.
- Company X has a lot of experience making Product Y.
- Company X supports customers many times the size of my clients.
- If there is a problem with Product Y, then Company X will help me fix it.
- If there is a problem with Product Y, then I can expect Company X to discover and fix it quickly.
Second, because the product that was exploited and the nature of the exploit. The exploit targeted Barracuda's Email Security Gateway and was used to gain initial access to victims systems and implant backdoors.
Again this turns to the trust and peace of mind.
I recommend the use of email filtering solutions to all my clients. Email is the most popular vector for nefarious parties to initiate a cyber attack and the understanding is that email filter will block most, if not all, of the most malicious threats. In this case the email security gateway was compromised, so instead of blocking malicious threats, it itself was the malicious threat inside your theoretically safe perimeter.
Third, because of how long the threat has been in place. The researchers found evidence that this threat has been in place since October 2022 or about 9 months. Again breaking our trust that if there is a problem with Product Y, then I can expect Company X to discover and fit it quickly.
The real reason this gives me pause...
I work with other IT consultants who rely solely on commerical solutions and reject any alternative non-commerical (i.e. open source) solution. I get it, commerical solutions are generally reliable and trust worthy, but in situations like this I wonder if and how an open source solution would have fared better.
To some degree commerical solutions rely on security through obscurity. Even if they don't rely on obscurity to secure their products just by their nature the tools and techniques of propriatary solutions are hidden from our ability to review and audit. It is this hidden aspect that give me pause.
Open source solutions have their risks, and the risks known, visible and easily accessible.
In short, I maybe scared about what I know, but I am more scared about what I do not know.
So, when I suggest an open source solution, that is why.
What are you thoughts?