Last month, the US Department of Homeland Security recommended that government agencies stop using security software from Moscow-based Kaspersky Lab. Best Buy, Office Depot, and Staples also stopped selling the software.
Is it time for enterprises to cut ties with Kaspersky?
Kaspersky is one of the leading anti-virus vendors on the planet, with more than 400 million users globally, and also offers a variety of enterprise security products and services.
But it's been linked to Russian intelligence and its networks have been hacked, potentially putting all customers at risk.
"Kaspersky anti-virus products and solutions provide broad access to files and elevated privileges on the computers on which the software is installed," the Department of Homeland Security said in its announcement.
That means that attackers could potentially exploit this access to compromise systems, the DHS warned, and ordered federal agencies to stop using the company's products within the next three months.
Some security experts say that enterprise users should also start considering other options.
"We don't know that Kaspersky themselves have provided a back door or data to the Russian government, but it appears that data did leak through this channel," said Scott Petry, co-founder and CEO at Authentic8, Inc., which makes a secure web browser.
Security software has to be able to scan files and read traffic in order to be able to do its job.
"If a vendor is exfiltrating that data without customer approval, that's a problem," said Petry. When installed in data centers, the security software would have access to even more data than on individual user machines. "So yes, this is worth deeper investigation and updated policies."
The DHS said that it was concerned about the ties between some Kaspersky officials and Russian intelligence and other government agencies.
"The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security," the DHS said.
Kaspersky categorically denied the allegations.
"Kaspersky Lab doesn’t have inappropriate ties with any government," the company said in a statement. “Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts, and it’s disconcerting that a private company can be considered guilty until proven innocent, due to geopolitical issues.
But the bad news just keeps coming for the company. Earlier this month, The Wall Street Journal reported that Kaspersky software was used to steal classified information.
In addition, Bloomberg Businessweek reported earlier this year that Kaspersky Lab had a much closer working relationship with Russian intelligence than it has publicly admitted, and that has developed security technology for the Russian government.
Again, Kaspersky denied the reports.
"It’s disappointing that these unverified claims continue to perpetuate the narrative of a company which, in its 20 year history, has never helped any government in the world with its cyberespionage efforts," it said.
What Should Data Center Managers Do?
Security companies need to be extremely diligent when it comes to their own security, and not just because of the power their tools command.
After all, if they can't protect themselves, how well can they be expected to protect their own customers?
In Kaspersky's case, news reports say that the company has been hacked by both Israel and Moscow -- and the company itself has admitted that its internal networks were hacked in 2015.
"Given that Kaspersky has been exploited, it would be prudent for organizations to identify alternatives," said Authentic8's Petry.
But switching enterprise security vendors isn't all that easy.
"In the understaffed, overburdened world of information security, the process of identifying and removing it is extremely disruptive," said Simon Gibson, fellow security architect at Gigamon Inc., a network security vendor.
First, employees who currently use Kaspersky software and are familiar with it will have to switch to something else, he said, which could be extremely disruptive.
And there's the time and expense of identifying what's in place, finding new vendors, and testing and deploying the new tools.
That's a big problem, especially since there's already a personnel shortage in cybersecurity, he said.
"Every person who’s been reassigned to remove Kaspersky should be working on other projects," he said.
A Stellar Reputation Now in Question
The incident from 2015 and this year's so far unconfirmed spying reports severely undermine the company’s historically solid reputation in the market. Gartner, IDC, and other analysts have routinely given it high ratings, and according to Gibson, the company “has always been a friend to network defenders.”
“The company’s research on certain malware strains has been second to none,” he said. “With their wide footprint, I have always viewed them as a trusted resource and have used their guidance to better respond to serious breaches and protect my systems from compromise. Moreover, when I’ve run their products in large global deployments on proxies, they’ve always delivered."
Despite that, the risk is too high to ignore, he said.
"Kaspersky antivirus software doesn’t run in a sandbox. It runs in system privileges. If it goes bad, it’s game over."
In addition, if the new government directive causes Kaspersky to lose business, it may have to shrink its staff and will no longer be able to provide the same level of service as it did before.
"This new development is shocking, because Kaspersky published hard work for the betterment of network defense, and if this proves to be true, they’ll probably go out of business," Gibson said.
He's not alone in worrying about Kaspersky's future as a company. In a blog post, security expert Bruce Schneier doubted its ability to survive the latest scandal.
"I am having trouble seeing how the already embattled Kaspersky Labs survives this," he wrote.