Written By Chuck Leaver CEO Ziften
High level hacks highlight how a lack of auditing on existing compliance products can make the worst type of headlines.
In the previous Java attacks into Facebook, Microsoft and Apple in addition to other big hitters in the market, didn’t need to dig too much into their playbooks to discover a method to attack. As a matter of fact they utilized one of, if not the oldest axiom in the book – they used a remote vulnerability in enormously dispersed software and exploited it to install remote access to software application capability. And in this case on an application that (A) wasn’t up to date and (B) probably didn’t need to be running.
While the hacks themselves have actually been headline news, the methods organizations can use to prevent or curtail them is pretty boring stuff. All of us hear “keep boxes up to date with patch management software” and “ensure harmony with compliance tools”. That is industry standard and old news. But to posture a question: who is “watching the watchers”? Which in this case the watchers being compliance, patch and systems management technologies. I think Facebook and Apple discovered that even if a management product informs you that software current doesn’t imply you need to believe it! Here at Ziften our results in the field state as much where we consistently discover dozens of variations of the SAME significant application running on Fortune 1000 sites – which by the way all are utilizing compliance and systems management products.
When it comes to the exploited Java plug-in, this was a MAJOR application with substantial distribution. This is the kind of software that gets tracked by systems management, compliance and patch products. The lesson from this couldn’t be clearer – having some kind of check against these applications is essential (just ask any of the organizations that were attacked…). However this just makes up a part of the issue – this is a major (debatably vital) application we are talking about here. If companies struggle to get their arms around keeping ahead with updates on known licensed applications being used, then exactly what about all the unknown and unneeded running applications and plug-ins and their vulnerabilities? Stated simply – if you cannot even know what you are expected to understand then how in the world can you know (and in this case secure) about the things you do not know or are concerned about?