Written By Charles Leaver CEO Ziften
High level cyber attacks underline how an absence of auditing on existing compliance products can make the worst kind of headlines.
In the previous Java attacks into Facebook, Microsoft and Apple along with other giants of the market, didn’t need to dig too deep into their playbooks to discover a method to attack. As a matter of fact they utilized one of, if not the most ancient axiom in the book – they utilized a remote vulnerability in massively dispersed software and exploited it to set up remote access to software application capability. And in this case on an application that (A) wasn’t up to date and (B) most likely didn’t have to be running.
While the hacks themselves have actually been headline news, the techniques companies can use to prevent or eradicate them is quite dull stuff. All of us hear “keep boxes current with patch management software applications” and “ensure uniformity with compliance tools”. That is industry standard and old news. However to pose a concern: who is “watching the watchers”? Which in this case the watchers being compliance, patch and systems management technologies. I believe Facebook and Apple found out that even if a management product informs you that a software application current doesn’t indicate you need to believe it! Here at Ziften our results in the field say as much where we regularly uncover lots of variations of the SAME significant application running on Fortune 1000 sites – which by the way all are utilizing compliance and systems management products.
In the case of the exploited Java plug-in, this was a MAJOR application with large circulation. This is the type of software that gets tracked by systems management, compliance and patch products. The lesson from this could not be clearer – having some kind of check against these products is essential (just ask any of the organizations that were attacked…). However this only makes up a part of the problem – this is a major (debatably vital) application we are speaking about here. If companies find it difficult to get their arms around keeping ahead with updates on known licensed applications being utilized, then exactly what about all the unknown and unneeded running applications and plug-ins and their vulnerabilities? Stated simply – if you can’t even know exactly what you are expected to know then how in the world can you understand (and in this case secure) about the things you don’t know or are concerned about?