IT Security Trapdoors and Backdoors

Updated: October 30, 2007

Issue

IT security consultants are primarily honest, trustworthy professionals. A small minority, however, abuse their privileged status to plant backdoors into business applications and other programs in order to provide unauthorized access to critical system data and services. A backdoor is typically created by installing code that either recognizes a special input sequence — such as a password — or a certain username.

Once in place, a backdoor allows the perpetrator — and any other people he cares to share his secret with — to view and download data, run programs or even obtain complete system access and control. Backdoors have been used to steal credit card numbers, download secret business plans, siphon funds from company accounts and for a variety of other illegal activities.

Crooked consultants plant trapdoors because they believe that they are clever and won't get caught. Unfortunately, this is true in many cases. A backdoor can generate quick riches, and many perpetrators are able to escape without a trace. On the other hand, this doesn't mean that businesses are powerless to defend themselves against backdoors and their creators. Careful planning and thorough oversight can ensure that only honest, backdoor-free software is installed on company systems.

Analysis

Removing a backdoor is a difficult and complex process. The ideal approach is to make sure that a backdoor is never planted in the first place. This is best achieved by hiring a security consultant who works for a well-known and respected organization; an individual with an extensive track record of working with companies in a particular field. The worst approach is to hire a consultant, perhaps via a Craigslist ad or a newspaper classified, without asking for credentials and a verifiable list of clients.

Hiring a qualified, verified consultant greatly decreases the chance that a backdoor will be planted, but it isn't a rock-solid security guarantee. Businesses still need to regularly check their systems for the presence of unauthorized code. A variety of vendors — including Tenable Network Security — offer tools that help businesses scan and audit their computers and networks for the presence of backdoors.

Many businesses could dramatically enhance their IT security and decrease the backdoor threat if they simply installed the free security patches and malware-removal tools provided by software vendors. That's always a good idea, since removing a detected backdoor is as difficult as eradicating any serious piece of malware . In many instances, the only solution is to wipe the system clean and reinstall a backdoor-free version of the software.

One thing that any business that discovers a backdoor needs to do is determine how the code was planted. In some cases, a consultant (or an in-house IT employee) may inadvertently install commercial software that includes a backdoor. Some software vendors include backdoors in their products to enable maintenance tasks or to recover lost passwords. This is a bad practice, but it happens. So check with the appropriate vendor before accusing a consultant of planting backdoor code. On the other hand, if all evidence points to the fact that a backdoor was indeed installed by a consultant, report the incident to the police. Backdoor seeding is a crime, not a civil matter. Law officers, not company representatives, are best equipped to confront and handle potentially dangerous data thieves.

Next Steps

For more information on common IT security issues, visit the IT Security Resource Center, where you'll find in-depth research, topical research briefs and advice from Focus Experts.