Written By Chuck Leaver CEO Ziften
High profile cyber attacks underline how a lack of auditing on existing compliance products can make the worst kind of headlines.
In the previous Java attacks into Facebook, Microsoft and Apple as well as other big hitters in the industry, didn’t have to dig too much into their playbooks to find an approach to attack. As a matter of fact they used one of, if not the oldest axiom in the book – they utilized a remote vulnerability in enormously distributed software and exploited it to install remote access to software application ability. And in this case on an application that (A) wasn’t up to date and (B) most likely didn’t need to be running.
While the hacks themselves have actually been headline news, the methods organizations can use to prevent or eradicate them is quite dull stuff. We all hear “keep boxes up to date with patch management software applications” and “guarantee uniformity with compliance tools”. That is industry standard and old news. But to posture a concern: who is “watching the watchers”? Which in this case the watchers being compliance, patch and systems management technologies. I believe Facebook and Apple found out that even if a management system tells you that software current does not imply you must believe it! Here at Ziften our results in the field state as much where we consistently discover dozens of variations of the SAME significant application running on Fortune 1000 sites – which by the way all are utilizing compliance and systems management products.
In the case of the exploited Java plug-in, this was a SIGNIFICANT application with large distribution. This is the type of application that gets monitored by systems management, compliance and patch products. The lesson from this could not be clearer – having some kind of check against these applications is necessary (simply ask any of the organizations that were attacked…). However this just constitutes a part of the problem – this is a significant (debatably important) application we are speaking about here. If organizations find it difficult to get their arms around maintaining updates on known licensed applications being used, then exactly what about all the unknown and unneeded running applications and plug-ins and their vulnerabilities? Simply speaking – if you can’t even understand what you are expected to understand then how in the world can you know (and in this case secure) about the things you do not know or are concerned about?