High-Profile Hacks Illuminate How Lack of Auditing on Existing Compliance Products Can Make Front-Page News of the Worst Kind
In the recent Java attacks into Apple, Facebook, Microsoft and other tech titans, hackers didn’t need to dig too deep into their playbooks to find a way to attack. As a matter of fact they employed one of, if not the oldest axiom in the book – they used a remote vulnerability in massively distributed software and exploited it to install remote access software capability. And in this case on an application that (A) wasn’t up to date and (B) probably didn’t need to be running.
While the hacks themselves have been sexy front-page news, the methods enterprises can use to prevent or curtail them is pretty boring stuff. We all hear “keep boxes up to date with patch management software” and “ensure uniformity with compliance tools”. That is industry standard and old news. But to pose a question: who is “watching the watchers”? Which in this case the watchers being compliance, patch and systems management technologies. I think Apple and Facebook learned that just because a management product tells you that software is up to date doesn’t mean you should believe it! Here at Ziften our results in the field say as much where we consistently uncover dozens of versions of the SAME major application running at Fortune 1000 sites – which by the way all are using compliance and systems management products.
In the case of the exploited Java plug-in, this was a MAJOR application with huge distribution. This is the type of application that gets tracked by systems management, compliance and patch products. The lesson from this couldn’t be more clear – having some type of check against these products is essential (just ask any of the enterprises that were hacked…). But this only constitutes a portion of the problem – this is a major (debatably essential) application we are talking about here. If organizations struggle to get their arms around maintaining currency on known authorized applications being used, then what about all the unknown and unnecessary running applications and plug-ins and their vulnerabilities? Stated simply – if you can’t even know what you are supposed to know then how in the world can you know (and in this case protect) about the things you don’t know or care about?!