RESEARCH PAPER Third-party applications in the enterprise Management and risk mitigation of third-party applications January 2013 Sponsored by Third-party applications in the enterprise Contents Executive summary p3 Third-party applications – the hackers choice p3 The unauthorised desktop p4 Third-party risks to security p5 Protection: patchy at best p7 Is patching a priority? p8 Validating IT assets p8 Misplaced confidence p9 Conclusion p10 About the sponsor, Lumension p12 This document is property of Incisive Media. Reproduction and distribution of this publication in any form without prior written permission is forbidden. 2 Computing | research paper | sponsored by Lumension Third-party applications in the enterprise Executive summary Third-party applications, browsers and plugins have become the attack vector of choice for the modern cyber criminal. Computing surveyed over 200 UK business decision makers to understand how they perceived the risks that they faced from third-party applications. We set out to understand how they were managing and mitigating the challenges to employee productivity, compliance and information security. This paper features a detailed discussion of the survey findings alongside analysis of how third-party applications have come to pose such a threat. The paper discusses why vulnerabilities for which remediation is available are so widespread and why business organisations are often slow to deploy up-to-date versions of popular third-party applications and security patches. The paper concludes with a discussion of why only a holistic approach to endpoint security management can empower organisations to realise the benefits of third-party applications whilst mitigating the risks that they can present. Third-party applications – the hackers choice The economic environment and outlook for the enterprise remains challenging, and the drive for businesses to reduce costs and boost competitiveness remains remorseless. These pressures make third-party applications such as Adobe Flash, Java Runtime Environment, and Apple QuickTime particularly attractive and convenient from a management point of view. These applications have become ubiquitous and can be found on almost every business desktop. Coupled with the proliferation of third-party applications in the enterprise have been some real improvements in the security of client computing platforms, specifically Microsoft’s Windows. Significantly fewer vulnerabilities exist in Windows 7 than in Windows XP, so attacking the operating system directly is becoming more difficult. The combination of the ubiquity of third-party applications and improvements in operating system security mean that third-party applications have become the attack vector of choice for the hacking community. Adobe Flash and Acrobat/Reader vulnerabilities occur five times in Kaspersky Labs’ Top 10 Vulnerabilities report for the third quarter of 2012. Oracle, Java and Apple iTunes and Quicktime also feature prominently. For the first time in recent memory, Microsoft is absent from the list. 1 Attack vectors are changing, and all the while the volume of malware in circulation is increasing. Millions of new malware signatures continue to be identified every month. Kaspersky, Q3 Cyberthreats: Java and Oracle top vulnerability list and cyber- espionage continues in 1 Middle East (Nov-2012). Computing | research paper | sponsored by Lumension 3 Third-party applications in the enterprise The unauthorised desktop Computing set out to establish how UK business organisations are responding to the security challenges posed by third-party applications. The first part of this process involves simply knowing exactly what applications are running on corporate endpoints. We asked “Are you confident that your endpoints are running only authorised applications?” (Fig. 1). Only 54 percent of respondents to this question had technical enforcement in place, allowing them to be completely confident that only authorised applications were executing within corporate boundaries. 44 percent of respondents stated that policies were in place but not enforced, and two percent admitted that they were not confident at all and had no way of knowing what was running on their desktops. Fig. 1 : Are you confident that your endpoints are running only authorised applications? 2% 44% 54% Yes; we have technical enforcement means in place Somewhat; we only have policies in place No; we have no way of knowing This is a worrying finding for reasons of productivity as well as security. Local administration rights for users seems to be corresponding to a much busier desktop for business users, but this activity is often unrelated to business. Computing asked “Beyond malware, what third-party apps concern you the most?” 70 percent of those responding to this question stated that undesired applications such as social networking, VoIP, chat, shopping and games were a concern to them. These are drains on employee productivity of the highest order. However, a reduction in productivity is just one reason to be concerned about unauthorised applications. There is also the spectre of users conducting illegal activities from within corporate network boundaries – activities for which the organisation itself may be at least partly legally liable. This is why 68 percent of those surveyed also had concerns about unauthorised packages such as personal utilities, hacking tools and unlicensed software and 49 percent were worried about peer-to-peer activity, copy protection violation and network scanning activity. Activity like this has a very serious implication for corporate compliance with legislative and industry controls on data protection. 4 Computing | research paper | sponsored by Lumension Third-party applications in the enterprise Activities such as file sharing, in addition to being legally dubious, are also drains on network resource. Many business organisations which have chosen to invest in network bandwidth will be unimpressed at the prospect of it being utilised by employees conducting file sharing activities or perhaps streaming sporting events to their desktops. 55 percent of those surveyed stated that they had concerns about this type of “resource hogging.” In addition to stealing business network resource, unauthorised applications can also cause some serious management headaches. Fifty-one percent of respondents stated that they had concerns about “bloatware” bundled into legitimate applications such as browser toolbars. These unwanted applications that are bundled in with free downloads and new machines slow down legitimate applications and annoy almost everybody. Their removal sucks up resource that could be expended in a more strategic manner. (Fig. 2). Fig. 2 : Beyond malware, what sorts of 3rd party apps concern you most? Undesired apps (e.g., social networking, VoIP, chat, shopping, games) 70% Unauthorized packages (e.g., personal utilities, hacking tools, unlicensed software) 68% Resource hogs (e.g., distributed computing, file sharing, streaming media) 55% Bloatware (apps installed along with legitimate software, such as browser 51% toolbars) Liability software (e.g., Peer-to-Peer, 49% copy protection cracking, network scanners) Other 1% *Respondents could select more than one answer. Third-party risks to security If the effect on corporate productivity, resources and compliance of third-party applications is potentially harmful, the security of these applications carries some more potentially more alarming implications. Computing asked “How serious do you believe the risk to your organisation from vulnerabilities in third-party applications to be?” Organisations are clearly aware of the dangers. One third of those responding to the question believed the risk to be either high or very high. A further 46 percent believed the risk to be moderate. Only 20 percent of those responding believed that the risk to their organisations was low and only one percent did not perceive a risk at all. Our respondents are right to believe that the risk to their business organisations from vulnerabilities in third-party applications is significant. Indeed, recent findings from various anti-virus vendors would indicate that vulnerabilities in third-party applications account for a significant majority of incidences of malware on Windows endpoints. Computing | research paper | sponsored by Lumension 5 Third-party applications in the enterprise For example, the Secunia Annual Report 2011 (published February 2012) found that on a typical Windows laptop containing 28 Microsoft applications and 22 third-party ones, 78.9 percent of the vulnerabilities existed in the third-party programs. What is more, this typical box requires 12 updaters – one from Microsoft and 11 for the third-party applications. The majority of attacks are exploiting vulnerabilities for which remediation is readily available. These findings are brought into sharper focus still when the results of the following question are considered. Computing asked “How many third-party updaters are being used within your environment?” (Fig. 3). Only 16 percent were confident enough to state their belief that none were being used. Fig. 3 : How many third-party updaters are being used in your environment? 16% 2% 33% 3% 19% Don’t know 1 to 2 3 to 5 6 to 10 11 or more None 27% Another third-party angle that organisations face risks from is that of malware arriving into the corporate network via removable media. The USB drive is an easy way for employees, either with malevolent intent or more commonly in error, to execute unauthorised applications which pose a risk to the security of their employers’ data. Computing asked “Do you have protection against physically borne malware?” The largest proportion of respondents (37%) stated that they managed the use of removable devices via technical means. A rather more authoritarian 14 percent prevented the use of all removable storage devices. However, 34 percent stated that whilst policies on removable media were in place they did not back these policies up with technical enforcement and 15 percent admitted that they had no control at all. 6 Computing | research paper | sponsored by Lumension Third-party applications in the enterprise Protection: patchy at best So, what are the implications of employees using outdated versions of third-party software and browser plugins? A common fear is that of the zero day attack. The zero day attack exploits a vulnerability that is, until the knowledge of the attack spreads, unknown. Despite the recent spate of high profile zero-day attacks, and their use in some well-known APT attacks, for the most part they are not as common as perceived. In fact, the majority of attacks today are still exploiting vulnerabilities for which remediation is readily available. Asked about their patch management process, the key finding was the fact that a mere 27 percent of respondents described their patch management process as robust (Fig. 4). Fig. 4 : How would you describe your current patch management process? Robust Operational Modest Ad hoc Non-existent 27% 48% 19% 6% 0% If these findings go some way to explaining why third-party applications are so attractive to the cyber criminal, the answers to the following question make it crystal clear. Computing asked “How long does it typically take you to deploy security patches for third-party apps when they become available?” Only just over one quarter (26%) of respondents stated that security patches were rolled out immediately. This is a worrying finding. Attackers need a week or two at most to identify vulnerabilities and exploit them. Some individuals have argued that seeing as all business organisations face a window of exposure from zero day malware, prompt patching does not reduce risk sufficiently to justify resource expended upon it. This is a fatalistic and ill-advised approach to risk management. While not all vulnerabilities have a patch at the time they are found, the vast majority do. Within 30 days of disclosure virtually all do. Not deploying patches as soon as they become available increases the window of exposure and opens a few doors as well. The largest proportion of respondents to this question (37%) stated that patches for third-party applications were deployed in one to two weeks. Whilst not best practice, taking between one and two weeks to test and deploy a patch is probably realistic. However, a further nine percent took between two and three weeks; 13 percent took up to four weeks; and 15 percent took even longer than four weeks. For those who believe they can leave the job to anti-virus software, a Cyveillance report published in 2010 will be sobering reading. On average, leading anti-virus solutions detected new malware just 19 percent of the time immediately after discovery, and just 62 percent of the time after 30 days. When faced with findings like these, it is easy to see why attackers are focusing their activities on vulnerabilities in third-party applications for which remediation is readily available. Computing | research paper | sponsored by Lumension 7 Third-party applications in the enterprise Is patching a priority? Computing asked our respondents why they were failing to deploy patches immediately. A huge 77 percent of respondents stated that the testing and validation process for patches simply took time (Fig. 5). The balance between the security of operations and stability is clearly still a tight rope that is as difficult for business organisations to walk as it ever was. Each security patch needs to be assessed for its impact on an organisations infrastructure and operations and this is not a speedy process. Fig. 5 : Why do you not apply patches immediately? Testing and validation takes time 77% Inadequate resources 47% Service level concerns 28% Inadequate patch management tools 15% Other 3% *Respondents could select more than one answer. The remaining answers to this question are all related. Inadequate resources for patching were cited by 47 percent; 28 percent stated that deploying all patches as soon as they became available would have an impact on their service levels to the business; 15 percent of respondents blamed inadequate patch management tools. The findings indicate that organisations believe that patching vulnerabilities in third-party applications should be a priority. Organisations would deploy security patches more promptly if they were able to. They are simply constrained by operational concerns and tightly stretched resources. Validating IT assets Patch management has been made infinitely more difficult in the Bring Your Own Device (BYOD) era. Computing asked “How often do you validate IT asset registration in your patch management tools?” Best practice for this would be weekly, or at least monthly, but only 15 percent of respondents to this question did so weekly and 25 percent monthly. The largest proportion of respondents (44%) stated that they validated assets a few times per year. However, an optimistic 12 percent of respondents said that they had never validated IT asset registration and four percent had only done so once. This is a dangerous position to be in. Whilst BYOD has made patch management (and indeed many other areas) more difficult, organisations are running considerable risks with information security and data protection regulations if they do not rise to the challenge. 8 Computing | research paper | sponsored by Lumension Third-party applications in the enterprise Misplaced confidence Computing asked what metrics our respondents used to measure the success of their patch management process. Only 12 percent actually measured time-to-patch. A small number of respondents (6%) said that they did not have metrics in place at all (Fig. 6). Fig. 6 : What metrics do you use to assess the success of your patch management process? 6% 12% 36% 19% Systems in compliance Adherence to policy Vulnerability scans Time-to-patch None 27% Again, the findings from this question indicate that time-to-patch does not feature highly in many organisations criteria of what makes a successful patch management regime and would indicate that cyber attackers will continue to be successful when focussing their activities on exploiting vulnerabilities in older versions of third-party applications and browser plugins. Of course, patching known vulnerabilities is not the only way that organisations can or should be mitigating the risks that they face from third-party applications – be they authorised applications or not. Computing asked about the technologies in use to protect against exploits taking advantage of the ‘patch gap’ (Fig. 7). Fig. 7 : What technologies do you rely on to protect against exploits taking advantage of the “patch gap”? Antivirus 96% Web filtering 77% Application firewall Application whitelisting Other 71% 31% 3% *Respondents could select more than one answer. Computing | research paper | sponsored by Lumension 9 Third-party applications in the enterprise A huge 96 percent of respondents used anti-virus software to protect their organisations from exploits. The only surprising thing about this particular finding was that it was not 100 percent who did so! Seventy-seven percent had web filtering software in place and 71 percent had an application firewall. Less than a third of respondents (31%) had any sort of application whitelisting in place. It would seem that the majority of our respondents are aware that relying on stand-alone anti-virus software to protect information assets is a mistaken approach, as we have seen above. The information security of business organisations is being subjected to a perfect storm. The changes in working practices being driven by BYOD, increasing levels of home and remote working and the cloud are not so much rendering corporate network boundaries as elastic but exploding them altogether. As the volume of threats and the speed with which vulnerabilities are reverse engineered continues to rise, organisations should be combining technologies for a true, defence-in-depth approach. Conclusion Our survey has found that business organisations in the UK are struggling to address the risk to their information security that arises from vulnerabilities in third-party applications and plugins. As operating system vendors have tightened up security loopholes, third-party applications and browsers are now the favoured attack vector of cyber criminals. Organisations may feel that the not inconsiderable time taken making sure that patches are promptly applied could be better spent elsewhere, but as we have seen, balancing IT productivity against system security is a false dichotomy. Rather, not installing updates promptly carries the risk of more time and effort needing to be spent getting systems up and running again after an attack, not to mention lost productivity, lost or stolen data, and possibly legal costs too. However, despite the risks to data security, brand etc. as well as the potential costs of cleaning up after successful attacks, it would seems that organisations are not concerned enough to deploy security patches as soon as they are made available. The practicalities of patch deployment are not always straight forward and each new patch needs to be tested and validated before deployment if the balance between the security and stability of systems is to be maintained. One approach would simply be to ban the use of third-party applications, cut back on their use or replace them with less popular equivalents. The first two options could have serious repercussions on employee productivity and seems a retrograde step in the face of the evolution in working practices that BYOD, better connectivity, the cloud and social media have brought about. If enough organisations chose the approach of replacing third-party applications with less popular versions, it is likely that attackers would simply refocus their activity on the newer applications once a critical mass had been achieved. Replacing applications might well buy organisations a little time but it is not a long term solution. Relying on technologies such as anti-virus software and web filtering to bridge the gap between vulnerabilities being announced and patches being deployed is also not a solution in itself. Both technologies are essentially reactive and whilst some protection is better than none, organisations need to take a more proactive approach to the security of third-party applications. As is often the case, mitigating the risk from third-party applications requires a holistic approach, encompassing 10 Computing | research paper | sponsored by Lumension Third-party applications in the enterprise patch management, application control, anti-virus and device control as part of a complete endpoint security management programme. Application control can be seen as the very definition of proactive security management. Unauthorised and unwanted third-party applications are a major source of vulnerabilities. Not only that, but they take up a disproportionate amount of time and effort in terms of patching and updates. By enforcing flexible application whitelisting it puts control back in the hands of the IT team. This can allow organisations to identify and prevent the installation and execution of any unwanted, untrusted or malicious applications without having to rely on the latest anti-virus definitions and vulnerability patches. As a result organisations can enjoy the benefits that third-party applications can bring to their business whilst at the same time reducing the risks that these applications pose to a level that they can live with. Computing | research paper | sponsored by Lumension 11 Third-party applications in the enterprise About the sponsor, Lumension Lumension Security, Inc., a global leader in endpoint management and security, develops, integrates and markets security software solutions that help businesses protect their vital information and manage critical risk across network and endpoint assets. Lumension enables more than 5,100 customers worldwide to achieve optimal security and IT success by delivering a proven and award-winning solution portfolio that includes Vulnerability Management, Endpoint Protection, Data Protection, Antivirus and Reporting and Compliance offerings. Lumension is known for providing world-class customer support and services 24x7, 365 days a year. Headquartered in Scottsdale, Arizona, Lumension has operations worldwide, including Texas, Florida, Washington D.C., Ireland, Luxembourg, Singapore, the United Kingdom, and Australia. Contact Lumension: Call: +44 (0) 1908-357-897 Visit: www.lumension.com 12 Computing | research paper | sponsored by Lumension