Symantec’s confirmation that hackers have stolen a segment of its source code for its Norton anti-virus software from a third party, highlights the fact that for any organisation, third party suppliers can be an attractive way for cyber criminals to gain access to data and networks that would otherwise be beyond their reach.
Although Symantec has not named the third party, the hacker group that posted a file on Pastebin that it said described the confidential workings of Symantec’s Norton Antivirus threat-detection product, said it had discovered Symantec’s source code in a hack they conducted on India’s military and intelligence servers, which is possible because many governments require source code from suppliers to prove the software is not spyware.
As a security firm, no doubt Symantec has extremely sophisticated systems in place to protect its data, but a huge range of external suppliers, from marketing to accountants to legal firms, can all be potential vulnerabilities, says Paul Vlissidis, technical director at NGS Secure, an NCC Group company.
“These suppliers may hold customer data, employee data or, as in this case, intellectual property that is hugely valuable to competitors,” he says, citing as an example the hacking of US-based email marketing firm Epsilon which affected many of its clients.
At the time, Paul Ducklin, head of technology for security firm Sophos in the Asia Pacific region said that as a cloud provider of electronic direct marketing services, a security breach of the Epsilon system was a breach of all its customers’ systems, too.
“If the security of third party suppliers isn’t validated you’ve potentially got an unlocked door in the middle of a wall. It’s essential for companies to treat the information security of suppliers with the same seriousness as their own, and verify the systems they have in place,” says Vlissidis
In confirming the IP theft, Symantec said the stolen code is from two older enterprise products, one of which has been discontinued. “The code involved is four and five years old. This does not affect Symantec’s Norton products for our consumer customers,” the company said in a statement.