Bit9

In my last post, I graphed the introduction of software onto a new system.  In this post, I'll graph the risk that that software poses to an environment.

By introducing an unapproved application, end users seldom realize the risk that change could have to the network.  For example, a single user introducing an alternate web browser onto their computer might have a risk profile that looks like the graph below.  By itself, a single application on a single computer does not pose a huge threat to the network (unless of course that application is malicious in nature, but we will assume for now it is not).

(You can download a larger version here:  http://bit.ly/aXBFnE )

Over time, there may be patches or updates that need to be applied to the application, and because the end user is likely the only one who knows about this application, it is up to them to be responsible for applying these patches or updates.  In an attempt to address the lack of central patching and upgrading, many products now come with self-updating functionality that will either check at runtime or on a set schedule for these files.  Unfortunately, most end users are neither aware of the importance or the urgency with which some of these patches need to be applied.  Therefore, updates get postponed, versions get skipped, and vulnerable applications grow within the network.

Now the graph will move up the risk scale a bit because there is little control over this unknown web browser and there is a level of uncertainty about its patch level.  Depending upon the application that has been installed, the responsiveness of the publisher, and the timeliness of the patches can also bump up the risk level.  For example, Secunia reports that Firefox, a very common alternate browser, had to release patches for 115 vulnerabilities in 2008 (source:  http://bit.ly/cFAA4z ).  Comparatively, Internet Explorer, which IT has a fairly good grasp over patching, suffered from 31 in 2008.

(You can download a larger version here:  http://bit.ly/biXqpK )

This issue is only compounded by the fact that not only will users install an alternate web browser, but also install games, toolbars, media players, peer-to-peer tools, and a plethora of other programs either intentionally or unintentionally.

This final graph shows the compound level of risk that multiple machines introduce when they all have unwanted programs added to them.  It is very easy to see why unauthorized software is almost more of a concern these days than malicious software.

(You can download a larger version here:  http://bit.ly/ddF79Q )

All of these programs expose an organization to increased support costs as unwanted programs conflict with business-related applications, increase re-imaging costs as the easiest and most effective way to eliminate this software from an end user’s computer is to start from scratch, and increases the risk that a computer will be compromised with an attack on a vulnerable application.

Coupled with strong written policies, it is understandable why many organizations are turning towards methods that can apply tighter control around what software end users are able to introduce onto their systems.  Without a reasonable mechanism for attempting to inventory and patch unauthorized software, the best approach for IT is to prevent the introduction of these applications in the first place.

At Bit9, we talk with customers and prospects every day about the risk that unauthorized software introduces into an environment.  Some IT folks have a difficult time presenting to senior management what the actual threat to the environment is of users introducing programs like iTunes, Firefox, or Skype. They are so commonplace that we start to get the impression that they are benign!

I've put together some charts, that could be incorporated into a presentation, to help convey the message that any unmanaged application, especially if IT is unaware that it exists within the environment, is an exposure that should be addressed.

(You can download a larger version here:  http://bit.ly/8YxzqJ )

This graph illustrates the typical introduction of new software onto a freshly imaged system.  The bane to any of us who have ever spent days or weeks creating a pristine base image!  I think the important thing to note is that much of the "software pull" that happens over the lifetime of the computer, happens relatively early.  Within hours or days of a user being issued a system, they have re-introduced their favorite chat programs, music players, screen savers, and more.  Once the user is satisfied with the state of the software, then over the coming months and years, you have blips of software packages getting installed, or a package upgrading to a newer version.

Once new unknown software has been introduced, the attack surface of that system goes up significantly.  My next post will discuss this further.

Bit9's annual report on the Top Vulnerable Applications  for 2009 found that Adobe Acrobat, Flash Player, Reader and Shockwave showed high risk for arbitrary code execution, memory corruption and application crashing. Also rated highly vulnerable in NIST's database for 2009 were Apple Quicktime, Mozilla FireFox, Opera, RealPlayer, Sun Java and Trillian.

Microsoft's IE 6 and 7 received an "honorable mention" for a zero-day exploit that went unpatched for a period of time in August.  All applications on the list require end users to manually patch or upgrade the software to eliminate the vulnerability, and are extremely common on PCs at work and home.

Should enterprises use these apps? If it makes sense for the business - of course they should. Most businesses would find it hard not to use Adobe PDF, for instance.  And yet just today, SANS Institute's Internet Storm Center (ISC) reported that they'd received samples of a new rigged PDF document that hijacked PCs using a bug Adobe acknowledged Dec. 14.  See Gregg Keizer's story on it in ComputerWorld today. So if enterprises do in fact use these apps, they need to put some monitoring and controls in place to protect their business.

Enterprise  IT organizations that are not monitoring their endpoints have no reliable way to ensure that the patches for these applications have been properly applied.  We encourage organizations to monitor the applications being used by their end users to make sure first, that they know what is running and second, they know that they have been patched properly. And in the case of this "zero-day" attacks, IT needs to put controls in place to protect against these zero-day attacks in which no patches or fixes exist.

Organizations that take a layered approach can best protect themselves with: visibility across endpoints;  a centralized patch-management process;  and application whitelisting to prevent the use of unauthorized and potentially malicious software.
To read the report, click here