Bit9

Bit9's annual report on the Top Vulnerable Applications  for 2009 found that Adobe Acrobat, Flash Player, Reader and Shockwave showed high risk for arbitrary code execution, memory corruption and application crashing. Also rated highly vulnerable in NIST's database for 2009 were Apple Quicktime, Mozilla FireFox, Opera, RealPlayer, Sun Java and Trillian.

Microsoft's IE 6 and 7 received an "honorable mention" for a zero-day exploit that went unpatched for a period of time in August.  All applications on the list require end users to manually patch or upgrade the software to eliminate the vulnerability, and are extremely common on PCs at work and home.

Should enterprises use these apps? If it makes sense for the business - of course they should. Most businesses would find it hard not to use Adobe PDF, for instance.  And yet just today, SANS Institute's Internet Storm Center (ISC) reported that they'd received samples of a new rigged PDF document that hijacked PCs using a bug Adobe acknowledged Dec. 14.  See Gregg Keizer's story on it in ComputerWorld today. So if enterprises do in fact use these apps, they need to put some monitoring and controls in place to protect their business.

Enterprise  IT organizations that are not monitoring their endpoints have no reliable way to ensure that the patches for these applications have been properly applied.  We encourage organizations to monitor the applications being used by their end users to make sure first, that they know what is running and second, they know that they have been patched properly. And in the case of this "zero-day" attacks, IT needs to put controls in place to protect against these zero-day attacks in which no patches or fixes exist.

Organizations that take a layered approach can best protect themselves with: visibility across endpoints;  a centralized patch-management process;  and application whitelisting to prevent the use of unauthorized and potentially malicious software.
To read the report, click here

The stars are aligned for application whitelisting in the marketplace -- all the big players are talking about it now and analysts are predicting that it is the future.

The new Gartner analyst  research report - "Application Control Market Update," 4 August 2008, by Neil MacDonald and Michael A. Silver - is a great one. To Gartner, the terms "application control" and "application whitelisting" are synonymous.

Copied below are some top quotes from the Gartner Research Note.

• "Organizations are looking to application control solutions to augment signature-based antivirus protection and to exert more control over endpoints."
• "We continue to advise organizations adopting application control solutions that the key to successful tool selection and implementation is the capability to automate the exception management process and to automate list management. Bit9 has delivered significant innovation in this area by enabling organizations to query their "whitelist/blacklist in the cloud" knowledge base as a subscription service (see "Cool Vendors in Infrastructure Protection, 2007")."
• "Application "whitelisting" and "blacklisting" techniques are becoming increasingly useful to supplement shortcomings in antivirus systems. These techniques deliver more flexibility to reduce diversity, improve operations and manage PC configuration than merely locking down desktops."
• "When antivirus agents and patching aren't possible, consider application control and system hardening as alternative security controls for point-of-sale (POS) terminals, supervisory control and data acquisition (SCADA) systems, and other devices that fall under regulatory requirements."
• "Application control solutions address shortcomings in antivirus and other signature-based approaches and provide security and operational benefits."
• "In most cases, application control software (see Figure 1) doesn't replace traditional antivirus and personal firewall offerings. Instead, it acts as an additional layer of protection for endpoints to supplement the increasing ineffectiveness of signature-based antivirus solutions, which can't keep up with the explosion in malware variants and the increases in targeted attacks. Application control solutions are of interest to information security and operations managers, typically for reducing the chances for image corruption, system damage or data loss by end users, rogue applications or malware."

And this whole section:

"Application Control Is a Gentler Form of Lockdown

In addition to security protection, application control solutions provide operational benefits by preventing the arbitrary introduction and execution of unknown code ("lockdown") on endpoints, even for administrators. There are several security and operational reasons that organizations may want to use application control solutions:

• To ensure that unlicensed software isn't being used
• To manage known PC configurations so that enterprise software is easier to deploy and maintain
• To restrict users from running software that could be detrimental to enterprise systems or the network
• To prevent users from adding applications to the organization's application portfolio that will require increased support and cost

Many organizations mistakenly believe that they've accomplished lockdown by removing administrative access from users and designating them as standard users. However, this can cause a number of problems:

• Users who have a real business need to install applications to do their jobs won't have that right, which hampers creativity.
• Client software components that Web sites upgrade on a regular basis (such as Flash, Acrobat Reader and Web conferencing software) cannot be updated, potentially obstructing user access to important business content or causing lost productivity, as users look for workarounds. It's nearly impossible for organizations to have the latest clients packaged for software distribution so that they can be delivered to users as needed, and standard user access does not allow exceptions.
• Contrary to common perception, running users as standard users does not prevent them from installing and running unknown applications. Depending on the level of lockdown, standard users may be able to download and install well-behaved applications that don't require administrative privileges to install or run. Furthermore, without additional restrictions or tools, users are able to load and execute single executables from the network (including via the browser) or removable media. Organizations are also at risk from malware that targets user data and settings, rather than system files.

Application control solutions address these issues and provide organizations with more flexibility and granularity for all users regarding the applications that can and cannot be run. Users can be left running as administrators, allowing them to update client software as needed, including Web applications. Software that's detrimental can be automatically blacklisted, but resources (and/or subscription models) may be needed to keep the list current. Depending on the user, new software can be allowed or blocked by policy. In either case, it is always logged, so that the organization can monitor, at a granular level. what software users are looking to run. Even if users are running as standard users, application control products can plug the gap created by applications that don't require administrator privileges to install and run or single file executables."

As an aside, we are now registering our blog with Technorati.

Welcome to my final posting in a series entitled "Are You Ready for Enterprise Application Whitelisting?" I hope these little snippets have been helpful and have assisted you in determining if your IT organization is mature enough to consider whitelisting - and if you would be able to take advantage of its benefits.

Today's post is one that I've seen many IT groups struggle with first-hand. It has to do with the complexity of modern security products and how much training they seem to require today. Lots of IT administrators simply are not equipped to effectively manage these overly-complicated security policies. Which leads us straight to the question:

Question 5: Is the security expertise required by endpoint protection suites too much?

Think about that one for a minute and ask yourself a few questions:

• Do you run an advanced desktop security suite that includes antivirus, personal firewall, HIPS, and other components?
• If not - why? What's holding you back?
• If so - are you really using all the components?
• If you aren't using everything - why did you buy such a comprehensive piece of software and not use it to full effectiveness?
  

The answer is almost always that most IT organizations simply are not ready or don't contain the skillsets to run and operate an advanced security tool that forces you to define cross-product policies that account for malicious behavior patterns and multi-layered protection schemes.

IT organizations have always been great at deploying AV because all they had to do was make sure that the AV packages was installed and up-to-date. They didn't have to decide what was secure and what wasn't.

But operating a HIPS solution or even a personal firewall today requires the operations team to be making decisions about the security policy that will have dramatic impacts on the ability for the organization to actually protect its systems and its data.

Usually what happens is the IT group gets one of these advanced desktop security products and then doesn't deploy it. So they've increased costs and decreased security, all at the same time.

If you are one of these people then you are absolutely ready to look at application whitelisting. Becuase with whitelisting, there are no complex security policies to understand. Simply choose the applications that your business should be running. Nothing else gets in.

If an application is found to contain a vulnerability - ban it. If an application fails to pass some basic security screens, stop it from being able to run. If you don't know what an application is, you never have to be concerned abnout judging its behavior because it simply will not be able to execute.

An application that can't execute can't do any damage.

I hope you've enjoyed these postings on application whitelisting and I really hope that you've learned something from it. We've learned a tremendous amount from our customers and what's enabled them to make the transition to a whitelisting environment. Now it's your turn to ask yourself one more time: are you ready for enterprise application whitelisting?

Welcome to Part 4 of my series on "Are You Ready for Enterprise Application Whitelisting?" Lots of people have been reading about application whitelisting - or at least wondering if there are easier ways of protecting endpoints than removing administrative rights - and are trying to figure out if now is the time to take a look at whitelisting.

So I'm presenting a number of questions that you can ask yourself to evaluate if you are in fact ready for whitelisting. And today we're going to talk about your users. Because if you have ever tried to remove administrative rights from users you know that it's an all-or-nothing proposition.

This leads us to the next question you can use to determine if you are in fact ready for enterprise application whitelisting:

Question 4: Do your users need flexibility (you can't lock them down too tightly)?

Let's talk a little more about removing admin rights from Windows computers. The motivation for doing this is because presumably users who can control the administrative aspects of their PCs are more likely to mess them up and get into trouble. Furthermore, any malware that may start running on the PC would be running with the privileges of the user, and if that was not at an administrative level the malware would be much less likely to inflict serious damage on the machine.

But because of the way that admin rights are implemented and managed in Windows, you practically are left with a very limiting and very inflexible choice. Either: 

1. You can remove administrative rights from your users but every time they need to make a change you have to send an IT admin to their desks to help them, or
2. You can't remove administrative rights because of legacy applications or cultural issues, and they can do anything they want to their PCs.

Most companies will assess each department individually to decide if the costs of supporting installations (#1 above) are higher or lower than the costs of managing, cleaning, and protecting against malware and unauthorized software (#2 above). On average, companies put about 75% of their users in bucket #1 and remove admin rights, leaving the other 25% of users in bucket #2, with admin rights.

But these results really aren't practical and don't meet the goals of the organization. Because IT needs more flexibility. And users need more flexibility. Why should a user who is locked down not be allowed to install the Adobe Acrobat Reader themselves if that is a well-known, trouble-free, and perfectly reasonable application to install? Why does IT need to get involved every time that happens?

The truth is: they don't. They shouldn't. Your protection strategy should be more flexible than that, and that is exactly where whitelisting comes in. Authorize users to install specific apps. Nothing else gets through.

If your users' behaviors and needs are complex... if you don't want to be babysitting them every time they need a simple non-standard installation done... then you are probably ready to look at enterprise application writelisting. 

I'm writing my third posting in a series called "Are You Ready for Enterprise Application Whitelisting?" The purpose of these posts as I've mentioned previously is to help IT people understand if their processes and organization are advanced and mature enough to be ready for implementing whitelisting - and basically only letting software run on corporate PCs that has been pre-authorized.

My previous posts covered a couple questions, including "Is your IT staff stretched too thin?" and "Do you need better auditing, reporting, and compliance?" Both of these questions are related to the needs of the organization and the services IT provides. But our next checkpoint asks about the maturity of the systems that IT uses to manage PCs. So here it is:

Question 3: Are adequate software delivery (SMS, WSUS) systems in place?

So why do we ask this question? Well the reason is because if you have implemented good, strong processes for delivering software easily and efficiently to desktops, you are pretty much at the point where the next logical step for control would be to whitelist the software on those PCs.

Think about it this way. Most company's IT processes have matured over the years along a relatively consistent pattern:

1. Provisioning / Imaging: Make it easy to get a standard image of the operating system and core applications when a new PC is issued to an employee, without taking a lot of time.
   
2. Deployment / Delivery: Get new applications or updates to applications out to all the users without having an army of IT people carry CDs to each workstation one by one.
3. Patch Management: Every time a new vulnerability or exploit is announced, vendors rush to deliver patches. A smooth patch management process means you don't have to scramble to protect your PCs.

So once you have these three components, you have effectively achieved total control over pushing software out to your PCs. So what's next for you? What are you looking to achieve after control over "pushed software?"

The answer is control over "pulled software." Users will receive their provisioned PCs and use the apps that are pushed to them... but then they will get on the Internet and start downloading their own apps. And as powerful as your software deployment processes are, most organizations can not reach 100% coverage of the apps that their users need. So you have to rely on users being able to download apps for themselves so you don't have to send IT people to every user whenever they need something.

And now you've opened Pandora's box. Because you can't control what your users will install...

... unless you whitelist.

Because when you whitelist, you authorize your users to download certain apps, but they can't get whatever they want. This gives you control. 

This is my second posting in a series that is meant to help you determine if you are ready for enterprise application whitelisting. For the uninitiated, application whitelisting is a method of operating a PC environment that only lets authorized software run. That means unless you (as the IT department of a company or an organization) allow an application to run, it is prohibited from executing on a computer.

These days solution providers like Bit9 (the leader in Enterprise Application Whitelisting) are paving the way for companies to implement a whitelisting strategy that is easy and effective - and one that can really have an impact in how you secure your desktops and data.

But many companies are asking themselves: am I ready for application whitelisting? To help answer this, my previous post asked the question "Is your IT staff stretched too thin?"

Here is the second question you can ask yourself to determine if you are ready for enterprise application whitelisting.

Question 2: Do you need better auditing, reporting & compliance?

There has been a veritable explosion in requirements placed on companies to inventory and audit their software environments. Driving these demands are a number of different activities ranging from regulations to industry guidelines to software vendors. But one thing is for sure - companies can no longer afford to not know what is happening on their corporate desktops and laptops.

Let's look at a few specific examples of where compliance is being pushed into IT:

• PCI Compliance: organizations that accept payment cards including credit cards and debit cards (primarily retail, finance, healthcare, and many more) are subject to these industry requirements to ensure the integrity of any computing system that handles payment card information (credit card numbers, accounts, etc.)
• Sarbanes-Oxley: Public comapnies in the United States must ensure that their financial systems have not been tampered with and the integrity of the financial reporting data remains in tact.
• HIPAA: Hospitals, physicians, health insurance companies, and other health-related industries are required by law to protect the privacy of patients' information and history, ensuring that only authorized individuals and systems can access access any specific information.
• Federal Desktop Core Configuration (FDCC): Federal agencies in the United States are now required by the OMB (Office of Management & Budget) to harden their Windows desktops to a very specific and detailed Windows configuration.
• Software Vendor Licensing: Large software companies have been stepping up the fight against piracy by conducting large-scale audits of their customers to identify any gap between how many copies of a software product are in use and how many the company had paid for. This often results in an unexpected, but sizeable "true-up."
• Computer Forensics: With so much data being produced and transmitted throughout organizations, many are finding it in their interest to create a forensics capability. You can hope you don't need it, but in the case of lawsuits, disgruntled employees, and other unpleasant events, it can be very useful to understand who did what and when.
• Consolidation: As companies merge and acquire, IT departments end up being responsible for multiple redundant systems. Many of them become forgotten - although the company still pays a heavy maintenance stream. So knowing what is actually in use can reap significant savings in software costs.

What's happening at many companies is that they are finding themselves under the demands of several of these drivers at once. Take as an example a large, public retailer - they will have to adhere to rules and guidelines put forth by the PCI Council, SOX, and their software vendors... maybe others as well.

Precisely because of these overlapping requirements, companies are proceeding along two simultaneous paths:

1. Simplify the data trail with a single, multi-purpose audit stream.
   
2. Enforce more, audit less by putting better controls around the desktop that limit policy violations and vastly reduce the data processing involved in demonstrating compliance.
   

Application whitelisting is a critical activity for both of these because having a rich inventory of the applications in use, and being able to prevent unauthorized software from being used can greatly reduce the cost of getting to compliance and systematically proving it on a regular basis.

So if you are under pressure to audit and report on the software in your environment and to prove that your computers are in compliance, you have met criteria #2 for being ready for Enterprise Application Whitelisting.

Over the past few months we've been reading more and more about how application whitelisting solutions - like Bit9's - may end up becoming the de facto mechanism for securing corporate Windows PCs in the near future.

So let's assume for a moment that yes, application whitelisting is the wave of the future and yes, you will be basing your security strategy on only allowing software that you know and trust to run in your environment. The next obvious question is...

What can you do to prepare for running an environment where people can only use company-authorized software? In the next few postings I'll present some ways to assess your readiness for enterprise application whitelisting.

Without further ado, here's the first question you can ask yourself to determine if you are ready for whitelisting.

Question 1: Is your IT staff stretched too thin?

If you have got an IT staff that is too busy "fighting fires" on users' systems and cleaning up after messy software downloads or ugly malware incidents, you are probably aching to get more control over your desktops. After all - your IT staff's time is too valuable to be spent on every little problem that comes up. There are bigger fish to fry, like when you are going to deploy Windows Vista, or how to consolidate computing resources across the enterprise, or how to achieve PCI, SOX, and HIPAA compliance.

Yet many IT departments simply get behind the 8-ball with respect to their desktop infrastructure. As users' computers age, the software on them drifts so that they look very different from how they looked when they were first provisioned. Those inconsistencies cause problems in everything from security to auditability to software licensing costs.

But imagine for a minute what would happen if you could eliminate those inconsistencies. If you could ensure that a software you provisioned did not drift from your original copy of it - and only software you approved or authorized was allowed to run on it.

Wouldn't this make your job so much easier? Wouldn't it reduce the number of problems you have to deal with on a monthly and even daily basis? You bet it would! And customers who have implemented application whitelisting are realizing every day how much more productive they can be when they aren't spending all their times firefighting.

So if you think your IT staff hasn't got the time to address the initiatives it should be... you are probably ready for enterprise application whitelisting! 

We've just released our top 10 list of the most vulnerable applications for 2007. This is the second year we've put the list together, and it is focused on those applications that users tend to download. These apps are often very difficult for IT to see, let alone patch, and therefore represent unexpected and unquantified vulnerabilities in an enterprise IT environment.

To make it onto the list, the following criteria must be met. Each application:

1. Must run on Microsoft Windows
2. Must be well-known in the consumer space and frequently downloaded by individuals.
3. Must not be classified as malicious by enterprise IT organizations or security vendors
4. Must contain at least one critical vulnerability:
• first reported in June 2006 or after,
• registered in the U.S. National Institute of Standards and Technology’s (NIST) official vulnerability database at http://nvd.nist.gov, and
• with a severity rating of high (between 7.0-10.0) on the Common Vulnerability Scoring System (CVSS).
5. Relies on the end user, rather than a central administrator, to manually patch or upgrade the software to eliminate the vulnerability, if such a patch exists.

It is important to note that in most cases, the vendor or publisher of the applications on this list has already produced a patch for the particular vulnerability or vulnerabilities reported here. But at a company, there is usually no way that IT can ensure that the patch has been properly applied - that's requirement #5 on the list of criteria above.

Last year when we released this list, a lot of people commented on how we left off so much Microsoft software - some even going so far as to say that Microsoft sponsored this research! So let me be clear - this is entirely produced and financed by Bit9. The reason most Microsoft software doesn't make the list is because by now most companies have a pretty good process in place for identifying, patching, and fixing vulnerable Microsoft software. The same can not be said for apps like Firefox, iTunes, and other packages.

You can download the full list of vulnerable applications here which includes the specific versions, the vendors' solutions, the nature of the vulnerabilities, and references to the CVE numbers for the identified vulnerabilities. Also, you can learn what to do to help protect your company from vulnerable applications like these.

So without further ado, here are the apps on the list. Do you have a comment about it? Please submit!

1. Yahoo! Messenger 8.1.0.239 and earlier
2. Apple QuickTime 7.2
3. Mozilla Firefox 2.0.0.6
   
4. Microsoft Windows Live (MSN) Messenger 7.0, 8.0
5. EMC VMware Player (and other products) 2.0, 1.0.4
6. Apple iTunes 7.3.2
7. Intuit QuickBooks Online Edition 9 and earlier
8. Sun Java Runtime 1.6.0_X
9. Yahoo! Widgets 4.0.5 and previous
10. Ask.com Toolbar 4.0.2.53 and previous
    

There's been a lot of discussions about whitelisting lately. I thought I'd share a few of the ones I have been reading:

1. Sign Me Up For Whitelisting by Jason Brooks
2. Whitelisting and Elegence by Larry Seltzer
3. Delist This Security Idea by Jim Rapoza
4. Antivirus Whitelisting: The Bad and Good by Mary Landesman
5. With the Right Tools and Perspective, Whitelisting Can Work by Andrew Garcia