Written By Charles Leaver CEO Ziften
High profile hacks highlight how a lack of auditing on existing compliance products can make the worst type of front page news.
In the previous Java attacks into Facebook, Microsoft and Apple along with other giants of the market, didn’t need to dig too deep into their playbooks to discover a technique to attack. As a matter of fact they employed one of, if not the oldest axiom in the book – they used a remote vulnerability in enormously distributed software applications and exploited it to install remote access to software application ability. And in this case on an application that (A) wasn’t the latest version and (B) most likely didn’t have to be running.
While the hacks themselves have actually been headline news, the techniques organizations can utilize to prevent or curtail them is quite dull stuff. All of us hear “keep boxes current with patch management software” and “guarantee uniformity with compliance tools”. That is industry standard and old news. But to position a concern: who is “watching the watchers”? Which in this case the watchers being compliance, patch and systems management innovations. I think Facebook and Apple learned that just because a management system tells you that a software application current does not suggest you need to think it! Here at Ziften our results in the field say as much where we regularly discover dozens of variations of the SAME significant application running on Fortune 1000 websites – which by the way all are using compliance and systems management products.
In the case of the exploited Java plug-in, this was a MAJOR application with substantial circulation. This is the type of application that gets tracked by systems management, compliance and patch products. The lesson from this could not be clearer – having some kind of check against these applications is vital (just ask any of the companies that were attacked…). However this just makes up a part of the issue – this is a significant (debatably vital) application we are discussing here. If companies struggle to get their arms around maintaining updates on known authorized applications being utilized, then exactly what about all the unknown and unneeded running applications and plug-ins and their vulnerabilities? Simply speaking – if you cannot even understand exactly what you are expected to understand then how in the world can you understand (and in this case safeguard) about the important things you have no idea about or care about?