Adobe, Anthem, EBay, JP Morgan Chase, Home Depot, Sony, Target – household names that have all had data breaches due to Cyberattacks. These cyber-attacks appear to be focused on accessing personal customer data that could be used for financial scams. According to the APT1 Report from Mandiant, hundreds of terabytes of data from at least 141 organizations has also been stolen in a cyber-espionage effort from individuals in China. Regardless if it’s customer data or intellectual property, this data should not be leaving these corporations.
Most people will never know exactly how these breaches happened, but IT asset managers who oversee software assets for their company can remove a number of the possible entry points from a cyber-attacker’s tool kit. We’ll cover three areas that will reduce the number of threat vectors an attacker can utilize.
Building Security In
Companies must always balance the level of risk they are willing to handle and the security requirements they put in place. There are three key things a company’s asset management team can do to lower the security risks without putting unrealistic security restrictions in place.
These three simple processes reduce the number of potential attack vectors that can be used to get access to your companies data. Let’s look at each of these in detail.
1. Remove older software
“It’s old software, it doesn’t matter, it’s not like someone is going to audit us for that title” – how many times have heard something similar discussed in your organization. “Nobody uses that software anyway so we’ll just leave it.” That is a very bad choice – just read this article about a JPMorgan Chase privacy breach that compromised the bank accounts of 83 million customers.
If you are part of your organizations Asset Management team and you are not removing old or unused software from computers, these titles could easily cause your organization to be in the news for all the wrong reasons. Obviously, there is a cost avoidance that you can achieve by uninstalling unused software, but there is a tangible security benefit to doing this as well. There are products that make this process easy and automated – products like 1E’s AppClarity. Even if your organization is willing to pay for licensing the software, if your employees are not regularly running it in a manner where it can install updates, it’s possible there are components running every time the computer is booted or a user logs in and if those components have a vulnerability, those older software titles are a significant liability.
2. Validate that software is updated and regularly patched
This is a no brainer – patches resolve defects, and many of these patches fix security vulnerabilities. Unpatched software should be something the organization considers as unsafe software. What’s that, you didn’t know that CVE-2014-0160 is the Heartbleed vulnerability? You forgot that your web server had this defect? In all likelihood, your system administrator forgot too, but the cyber attackers didn’t and they will use this as an attack vector if they can.
What should keep you awake at night – is the fact that, 6 months after this defect was resolved, more than ½ of the Forbes Global 2000 had servers running on the Internet that were not patched. Is your organization still running software and services with this defect? If you work for one of the Forbes Global 2000 companies, your odds are better than a coin toss if this vulnerability still lingers in your IT infrastructure.
This is an easy job for the asset manager to create exception reports on inventory that identifies if a web server or other application is below a certain version level, or if a patch is installed or not. Does your organization have this type of process in place?
3. Institute and enforce a software policy
Your end-users will do anything to make sure they can get their jobs done. They bring software from home or download and install software off the Internet if they can’t buy the licenses they need. Do your users have administrator rights on their computers? Does your organization have a policy in place to stop rogue software installations from happening? Does it get enforced? Will your company really fire an employee for installing a copy of Gimp (a freeware photo editing software package) because they were not allowed to buy Photoshop?
Free and open source software (FOSS) is not inherently risky if it’s accessed from a trusted website, however, knowing which titles are safe, where it is safe to download and ensuring that the software remains patched and updated are all critical to limiting the number of potential threat vectors.
Organizations can fix this problem by making it exceedingly easy for their employees to request the software they need without a lot of fuss about how to find the software title, how to make sure licenses are purchased and determining if the software is genuine.
All that’s required is a process where your employees can go to a single known corporate app store, find the software they need and have the system automatically manage the process of purchasing, approval processing, reporting, delivery, and installation. These corporate app stores can include FOSS as well as commercial software and, our App Store – Shopping from 1E, can carry rules and policies defining any approval and other work flow processes. These corporate app stores can even provide alternatives, such as providing a reader version of an app instantly upon request while requiring manager approval for a version that requires higher licensing fees – thus saving money while also lowering risk levels for the organization.
Conclusion – Security Requires a Layered Approach
There is no silver bullet of technology to ensure security of software and devices within an organization – security requires depth and breadth and must be applied across all IT processes. IT Asset Management organizations have a significant role to play in the overall security picture by ensuring that they:
- Remove older software – especially if it’s not needed
- Validate that software is updated and regularly patched
- Institute and enforce a software policy for the organization
Whenever the above areas can be automated, the probabilities of long term success increase tremendously. It’s very possible that doing these three things would have helped highlight, or even stop some of the high profile cyber security and cyber espionage attacks we seem to see in the news on a daily basis. To paraphrase Dirty Harry, “Do you feel lucky”, or would you rather put tools that are readily at your disposal to work lowering your risk of audit, as well as the risk of cybersecurity threats? I’m positive that Adobe, Anthem, EBay, JP Morgan Chase, Home Depot, Sony, Target and others all felt they had the best security they could implement at a reasonable cost – what I wonder is – did they rely solely on the security products they purchased and implemented and forget to develop an approach to security that focused on the depth and breadth across their whole IT environment to keep their infrastructure secure?
Applying intelligent approaches to security in the asset management areas of IT will make your organization more secure. Start using the tools at your disposal today and stop the data loss and reduce the potential for your organization to be the next in line for the regular security breach report in the news.