Written By Charles Leaver CEO Ziften
High level cyber attacks highlight how an absence of auditing on existing compliance products can make the worst sort of front page news.
In the previous Java attacks into Facebook, Microsoft and Apple in addition to other big hitters in the industry, didn’t need to dig too deep into their playbooks to discover a technique to attack. As a matter of fact they employed one of, if not the oldest axiom in the book – they utilized a remote vulnerability in massively distributed software applications and exploited it to set up remote access to software capability. And in this case on an application that (A) wasn’t the latest version and (B) most likely didn’t need to be running.
While the hacks themselves have actually been front page news, the approaches organizations can use to prevent or curtail them is pretty boring stuff. We all hear “keep boxes up to date with patch management software” and “guarantee harmony with compliance tools”. That is industry standard and old news. However to present a concern: who is “watching the watchers”? Which in this case the watchers being compliance, patch and systems management innovations. I believe Facebook and Apple discovered that just because a management system tells you that software is up to date does not mean you ought to believe it! Here at Ziften our results in the field state as much where we consistently discover dozens of variations of the SAME major application running on Fortune 1000 websites – which by the way all are using compliance and systems management products.
In the case of the exploited Java plug-in, this was a MAJOR application with large distribution. This is the type of application that gets tracked by systems management, compliance and patch products. The lesson from this could not be clearer – having some kind of check against these applications is necessary (just ask any of the organizations that were hacked…). But this only constitutes a portion of the problem – this is a major (debatably vital) application we are talking about here. If organizations find it difficult to get their arms around keeping ahead with updates on known licensed applications being utilized, then what about all the unknown and unneeded running applications and plug-ins and their vulnerabilities? Stated simply – if you can’t even understand exactly what you are expected to understand then how on Earth can you understand (and in this case safeguard) about the things you have no idea about or care about?