RESEARCH
PAPER
Third-party applications
in the enterprise
Management and risk mitigation of
third-party applications
January 2013
Sponsored by
Third-party applications in the enterprise
Contents
Executive summary
p3
Third-party applications – the hackers choice
p3
The unauthorised desktop
p4
Third-party risks to security
p5
Protection: patchy at best
p7
Is patching a priority?
p8
Validating IT assets
p8
Misplaced confidence
p9
Conclusion
p10
About the sponsor, Lumension
p12
This document is property of Incisive Media. Reproduction and distribution of this publication in any form without
prior written permission is forbidden.
2 Computing | research paper | sponsored by Lumension
Third-party applications in the enterprise
Executive summary
Third-party applications, browsers and plugins have become the attack vector of choice for the
modern cyber criminal. Computing surveyed over 200 UK business decision makers to understand
how they perceived the risks that they faced from third-party applications. We set out to
understand how they were managing and mitigating the challenges to employee productivity,
compliance and information security.
This paper features a detailed discussion of the survey findings alongside analysis of how
third-party applications have come to pose such a threat. The paper discusses why vulnerabilities
for which remediation is available are so widespread and why business organisations are often
slow to deploy up-to-date versions of popular third-party applications and security patches.
The paper concludes with a discussion of why only a holistic approach to endpoint security
management can empower organisations to realise the benefits of third-party applications
whilst mitigating the risks that they can present.
Third-party applications
– the hackers choice
The economic environment and outlook for the enterprise remains challenging, and the drive for
businesses to reduce costs and boost competitiveness remains remorseless. These pressures
make third-party applications such as Adobe Flash, Java Runtime Environment, and Apple
QuickTime particularly attractive and convenient from a management point of view. These
applications have become ubiquitous and can be found on almost every business desktop.
Coupled with the proliferation of third-party applications in the enterprise have been some real
improvements in the security of client computing platforms, specifically Microsoft’s Windows.
Significantly fewer vulnerabilities exist in Windows 7 than in Windows XP, so attacking the
operating system directly is becoming more difficult.
The combination of the ubiquity of third-party applications and improvements in operating
system security mean that third-party applications have become the attack vector of choice for the
hacking community. Adobe Flash and Acrobat/Reader vulnerabilities occur five times in Kaspersky
Labs’ Top 10 Vulnerabilities report for the third quarter of 2012. Oracle, Java and Apple iTunes and
Quicktime also feature prominently. For the first time in recent memory, Microsoft is absent from
the list. 1 Attack vectors are changing, and all the while the volume of malware in circulation is
increasing. Millions of new malware signatures continue to be identified every month.
Kaspersky, Q3 Cyberthreats: Java and Oracle top vulnerability list and cyber- espionage continues in
1
Middle East (Nov-2012).
Computing | research paper | sponsored by Lumension 3
Third-party applications in the enterprise
The unauthorised desktop
Computing set out to establish how UK business organisations are responding to the security
challenges posed by third-party applications. The first part of this process involves simply knowing
exactly what applications are running on corporate endpoints. We asked “Are you confident that
your endpoints are running only authorised applications?” (Fig. 1). Only 54 percent of respondents
to this question had technical enforcement in place, allowing them to be completely confident
that only authorised applications were executing within corporate boundaries. 44 percent of
respondents stated that policies were in place but not enforced, and two percent admitted that
they were not confident at all and had no way of knowing what was running on their desktops.
Fig. 1 : Are you confident that your endpoints are running only
authorised applications?
2%
44%
54%
Yes; we have technical enforcement
means in place
Somewhat; we only have policies in
place
No; we have no way of knowing
This is a worrying finding for reasons of productivity as well as security. Local administration rights
for users seems to be corresponding to a much busier desktop for business users, but this activity
is often unrelated to business.
Computing asked “Beyond malware, what third-party apps concern you the most?” 70 percent of
those responding to this question stated that undesired applications such as social networking,
VoIP, chat, shopping and games were a concern to them. These are drains on employee
productivity of the highest order. However, a reduction in productivity is just one reason to be
concerned about unauthorised applications. There is also the spectre of users conducting illegal
activities from within corporate network boundaries – activities for which the organisation itself
may be at least partly legally liable. This is why 68 percent of those surveyed also had concerns
about unauthorised packages such as personal utilities, hacking tools and unlicensed software
and 49 percent were worried about peer-to-peer activity, copy protection violation and network
scanning activity. Activity like this has a very serious implication for corporate compliance with
legislative and industry controls on data protection.
4 Computing | research paper | sponsored by Lumension
Third-party applications in the enterprise
Activities such as file sharing, in addition to being legally dubious, are also drains on network
resource. Many business organisations which have chosen to invest in network bandwidth will be
unimpressed at the prospect of it being utilised by employees conducting file sharing activities
or perhaps streaming sporting events to their desktops. 55 percent of those surveyed stated that
they had concerns about this type of “resource hogging.”
In addition to stealing business network resource, unauthorised applications can also cause some
serious management headaches. Fifty-one percent of respondents stated that they had concerns
about “bloatware” bundled into legitimate applications such as browser toolbars. These unwanted
applications that are bundled in with free downloads and new machines slow down legitimate
applications and annoy almost everybody. Their removal sucks up resource that could be expended
in a more strategic manner. (Fig. 2).
Fig. 2 : Beyond malware, what sorts of 3rd party apps concern you most?
Undesired apps (e.g., social
networking, VoIP, chat, shopping,
games)
70%
Unauthorized packages (e.g.,
personal utilities, hacking tools,
unlicensed software)
68%
Resource hogs (e.g., distributed
computing, file sharing, streaming
media)
55%
Bloatware (apps installed along with
legitimate software, such as browser 51%
toolbars)
Liability software (e.g., Peer-to-Peer,
49%
copy protection cracking, network
scanners)
Other
1%
*Respondents could select more than one answer.
Third-party risks to security
If the effect on corporate productivity, resources and compliance of third-party applications is
potentially harmful, the security of these applications carries some more potentially more alarming
implications. Computing asked “How serious do you believe the risk to your organisation from
vulnerabilities in third-party applications to be?” Organisations are clearly aware of the dangers.
One third of those responding to the question believed the risk to be either high or very high.
A further 46 percent believed the risk to be moderate. Only 20 percent of those responding believed
that the risk to their organisations was low and only one percent did not perceive a risk at all.
Our respondents are right to believe that the risk to their business organisations from
vulnerabilities in third-party applications is significant. Indeed, recent findings from various
anti-virus vendors would indicate that vulnerabilities in third-party applications account for a
significant majority of incidences of malware on Windows endpoints.
Computing | research paper | sponsored by Lumension 5
Third-party applications in the enterprise
For example, the Secunia Annual Report 2011 (published February 2012) found that on a typical
Windows laptop containing 28 Microsoft applications and 22 third-party ones, 78.9 percent of the
vulnerabilities existed in the third-party programs. What is more, this typical box requires
12 updaters – one from Microsoft and 11 for the third-party applications. The majority of attacks
are exploiting vulnerabilities for which remediation is readily available.
These findings are brought into sharper focus still when the results of the following question
are considered. Computing asked “How many third-party updaters are being used within your
environment?” (Fig. 3). Only 16 percent were confident enough to state their belief that none were
being used.
Fig. 3 : How many third-party updaters are being used in your
environment?
16%
2%
33%
3%
19%
Don’t know
1 to 2
3 to 5
6 to 10
11 or more
None
27%
Another third-party angle that organisations face risks from is that of malware arriving into
the corporate network via removable media. The USB drive is an easy way for employees, either
with malevolent intent or more commonly in error, to execute unauthorised applications which
pose a risk to the security of their employers’ data. Computing asked “Do you have protection
against physically borne malware?” The largest proportion of respondents (37%) stated that they
managed the use of removable devices via technical means. A rather more authoritarian 14 percent
prevented the use of all removable storage devices. However, 34 percent stated that whilst policies
on removable media were in place they did not back these policies up with technical enforcement
and 15 percent admitted that they had no control at all.
6 Computing | research paper | sponsored by Lumension
Third-party applications in the enterprise
Protection: patchy at best
So, what are the implications of employees using outdated versions of third-party software and
browser plugins? A common fear is that of the zero day attack. The zero day attack exploits a
vulnerability that is, until the knowledge of the attack spreads, unknown. Despite the recent spate
of high profile zero-day attacks, and their use in some well-known APT attacks, for the most part
they are not as common as perceived. In fact, the majority of attacks today are still exploiting
vulnerabilities for which remediation is readily available.
Asked about their patch management process, the key finding was the fact that a mere 27 percent
of respondents described their patch management process as robust (Fig. 4).
Fig. 4 : How would you describe your current patch management
process?
Robust
Operational
Modest
Ad hoc
Non-existent
27%
48%
19%
6%
0%
If these findings go some way to explaining why third-party applications are so attractive to the
cyber criminal, the answers to the following question make it crystal clear. Computing asked “How
long does it typically take you to deploy security patches for third-party apps when they become
available?” Only just over one quarter (26%) of respondents stated that security patches were
rolled out immediately. This is a worrying finding. Attackers need a week or two at most to identify
vulnerabilities and exploit them.
Some individuals have argued that seeing as all business organisations face a window of exposure
from zero day malware, prompt patching does not reduce risk sufficiently to justify resource
expended upon it. This is a fatalistic and ill-advised approach to risk management. While not all
vulnerabilities have a patch at the time they are found, the vast majority do. Within 30 days of
disclosure virtually all do. Not deploying patches as soon as they become available increases the
window of exposure and opens a few doors as well.
The largest proportion of respondents to this question (37%) stated that patches for third-party
applications were deployed in one to two weeks. Whilst not best practice, taking between one and
two weeks to test and deploy a patch is probably realistic. However, a further nine percent took
between two and three weeks; 13 percent took up to four weeks; and 15 percent took even longer
than four weeks.
For those who believe they can leave the job to anti-virus software, a Cyveillance report published in
2010 will be sobering reading. On average, leading anti-virus solutions detected new malware just
19 percent of the time immediately after discovery, and just 62 percent of the time after 30 days.
When faced with findings like these, it is easy to see why attackers are focusing their activities on
vulnerabilities in third-party applications for which remediation is readily available.
Computing | research paper | sponsored by Lumension 7
Third-party applications in the enterprise
Is patching a priority?
Computing asked our respondents why they were failing to deploy patches immediately. A huge
77 percent of respondents stated that the testing and validation process for patches simply took
time (Fig. 5). The balance between the security of operations and stability is clearly still a tight
rope that is as difficult for business organisations to walk as it ever was. Each security patch needs
to be assessed for its impact on an organisations infrastructure and operations and this is not a
speedy process.
Fig. 5 : Why do you not apply patches immediately?
Testing and validation takes
time
77%
Inadequate resources
47%
Service level concerns
28%
Inadequate patch
management tools
15%
Other
3%
*Respondents could select more than one answer.
The remaining answers to this question are all related. Inadequate resources for patching were
cited by 47 percent; 28 percent stated that deploying all patches as soon as they became available
would have an impact on their service levels to the business; 15 percent of respondents blamed
inadequate patch management tools.
The findings indicate that organisations believe that patching vulnerabilities in third-party
applications should be a priority. Organisations would deploy security patches more promptly
if they were able to. They are simply constrained by operational concerns and tightly stretched
resources.
Validating IT assets
Patch management has been made infinitely more difficult in the Bring Your Own Device (BYOD)
era. Computing asked “How often do you validate IT asset registration in your patch management
tools?” Best practice for this would be weekly, or at least monthly, but only 15 percent of
respondents to this question did so weekly and 25 percent monthly.
The largest proportion of respondents (44%) stated that they validated assets a few times per
year. However, an optimistic 12 percent of respondents said that they had never validated IT asset
registration and four percent had only done so once.
This is a dangerous position to be in. Whilst BYOD has made patch management (and indeed
many other areas) more difficult, organisations are running considerable risks with information
security and data protection regulations if they do not rise to the challenge.
8 Computing | research paper | sponsored by Lumension
Third-party applications in the enterprise
Misplaced confidence
Computing asked what metrics our respondents used to measure the success of their patch
management process. Only 12 percent actually measured time-to-patch. A small number of
respondents (6%) said that they did not have metrics in place at all (Fig. 6).
Fig. 6 : What metrics do you use to assess the success of your patch
management process?
6%
12%
36%
19%
Systems in compliance
Adherence to policy
Vulnerability scans
Time-to-patch
None
27%
Again, the findings from this question indicate that time-to-patch does not feature highly in many
organisations criteria of what makes a successful patch management regime and would indicate
that cyber attackers will continue to be successful when focussing their activities on exploiting
vulnerabilities in older versions of third-party applications and browser plugins.
Of course, patching known vulnerabilities is not the only way that organisations can or should be
mitigating the risks that they face from third-party applications – be they authorised applications
or not. Computing asked about the technologies in use to protect against exploits taking
advantage of the ‘patch gap’ (Fig. 7).
Fig. 7 : What technologies do you rely on to protect against exploits
taking advantage of the “patch gap”?
Antivirus
96%
Web filtering
77%
Application firewall
Application whitelisting
Other
71%
31%
3%
*Respondents could select more than one answer.
Computing | research paper | sponsored by Lumension 9
Third-party applications in the enterprise
A huge 96 percent of respondents used anti-virus software to protect their organisations from
exploits. The only surprising thing about this particular finding was that it was not 100 percent
who did so! Seventy-seven percent had web filtering software in place and 71 percent had an
application firewall. Less than a third of respondents (31%) had any sort of application whitelisting
in place.
It would seem that the majority of our respondents are aware that relying on stand-alone
anti-virus software to protect information assets is a mistaken approach, as we have seen
above. The information security of business organisations is being subjected to a perfect storm.
The changes in working practices being driven by BYOD, increasing levels of home and remote
working and the cloud are not so much rendering corporate network boundaries as elastic but
exploding them altogether.
As the volume of threats and the speed with which vulnerabilities are reverse engineered
continues to rise, organisations should be combining technologies for a true, defence-in-depth
approach.
Conclusion
Our survey has found that business organisations in the UK are struggling to address the risk to
their information security that arises from vulnerabilities in third-party applications and plugins.
As operating system vendors have tightened up security loopholes, third-party applications and
browsers are now the favoured attack vector of cyber criminals.
Organisations may feel that the not inconsiderable time taken making sure that patches are
promptly applied could be better spent elsewhere, but as we have seen, balancing IT productivity
against system security is a false dichotomy.
Rather, not installing updates promptly carries the risk of more time and effort needing to be
spent getting systems up and running again after an attack, not to mention lost productivity,
lost or stolen data, and possibly legal costs too.
However, despite the risks to data security, brand etc. as well as the potential costs of cleaning up
after successful attacks, it would seems that organisations are not concerned enough to deploy
security patches as soon as they are made available. The practicalities of patch deployment are not
always straight forward and each new patch needs to be tested and validated before deployment if
the balance between the security and stability of systems is to be maintained.
One approach would simply be to ban the use of third-party applications, cut back on their use or
replace them with less popular equivalents. The first two options could have serious repercussions
on employee productivity and seems a retrograde step in the face of the evolution in working
practices that BYOD, better connectivity, the cloud and social media have brought about. If enough
organisations chose the approach of replacing third-party applications with less popular versions,
it is likely that attackers would simply refocus their activity on the newer applications once a
critical mass had been achieved. Replacing applications might well buy organisations a little time
but it is not a long term solution.
Relying on technologies such as anti-virus software and web filtering to bridge the gap between
vulnerabilities being announced and patches being deployed is also not a solution in itself. Both
technologies are essentially reactive and whilst some protection is better than none, organisations
need to take a more proactive approach to the security of third-party applications. As is often the
case, mitigating the risk from third-party applications requires a holistic approach, encompassing
10 Computing | research paper | sponsored by Lumension
Third-party applications in the enterprise
patch management, application control, anti-virus and device control as part of a complete
endpoint security management programme.
Application control can be seen as the very definition of proactive security management.
Unauthorised and unwanted third-party applications are a major source of vulnerabilities.
Not only that, but they take up a disproportionate amount of time and effort in terms of patching
and updates. By enforcing flexible application whitelisting it puts control back in the hands of the
IT team. This can allow organisations to identify and prevent the installation and execution of any
unwanted, untrusted or malicious applications without having to rely on the latest anti-virus
definitions and vulnerability patches. As a result organisations can enjoy the benefits that
third-party applications can bring to their business whilst at the same time reducing the risks
that these applications pose to a level that they can live with.
Computing | research paper | sponsored by Lumension 11
Third-party applications in the enterprise
About the sponsor, Lumension
Lumension Security, Inc., a global leader in endpoint management and security, develops,
integrates and markets security software solutions that help businesses protect their vital
information and manage critical risk across network and endpoint assets.
Lumension enables more than 5,100 customers worldwide to achieve optimal security and IT
success by delivering a proven and award-winning solution portfolio that includes Vulnerability
Management, Endpoint Protection, Data Protection, Antivirus and Reporting and Compliance
offerings. Lumension is known for providing world-class customer support and services 24x7,
365 days a year.
Headquartered in Scottsdale, Arizona, Lumension has operations worldwide, including Texas,
Florida, Washington D.C., Ireland, Luxembourg, Singapore, the United Kingdom, and Australia.
Contact Lumension:
Call: +44 (0) 1908-357-897
Visit: www.lumension.com
12 Computing | research paper | sponsored by Lumension