Last month, Kaspersky Lab reported that Java is the target for more than half of all malware exploit attempts. Combine that with the fact that one very common audit finding is to encounter older versions of Java on a bank's network, and you have a recipe for disaster.
I may need to clarify something about older versions of Java. Java does not work like Microsoft. When Microsoft discovers a vulnerability, they release a patch for you to install on your existing platform, so it's possible that you have an older version of Microsoft that is completely patched. When software companies like Adobe and Oracle (Java) discover a vulnerability, the patch is released in a new version of the product. That's why you constantly see new versions available…they are not usually released for the purpose of adding some cool new feature. They are most likely released to fix a security issue.
I think there are really three reasons we see Java and Adobe patch management lagging behind at financial institutions:
- New versions aren't released on a regular schedule like Microsoft's "Patch Tuesday." Your IT administrator is busy putting out plenty of fires, and constantly looking to see if Adobe or Java released a new software version isn't usually as high on his or her priority list.
- These software companies lack the automated and easy updating process that Microsoft has in its Windows Server Update Service (WSUS). Patch management and maintenance for programs like Adobe and Java may require additional third-party patch management software.
- In years past, a Java update did not remove the older version. This has since been fixed, but the older versions that weren't removed in previous updates had to be removed manually. As an auditor, I still run into old versions of Java on workstations even if the most current version is installed. As part of your patch maintenance, a one-time check and removal of old versions of Java would be well worth your time.
Keeping software up-to-date is obviously the most important thing you can do to thwart online attacks, but the best answer to this security issue, and the answer to most security issues, is that you have to implement a layered security program:
- Remove local administrator privileges on workstations.
- Implement technical controls on the use of USB storage devices where possible.
- Implement and monitor an intrusion detection/prevention system.
- Expand Internet content filtering such that only sites needed for banking are allowed.
- Regularly review security logs, so that changes in the norm will stand out.
- Train, train, train – include teaching users not to click on email links, teaching them the difference between secured and unsecured websites, and teaching them to verify an unexpected call/email/visitor's authorization before giving them information or helping them with a project. Creating a culture of security-minded employees, where everyone in the bank sees security as their responsibility, will really provide some of the greatest protection you have available to you.
Unfortunately, the more security measures you put in place at your institution, the less convenient things are for you and your employees, but that also makes things less convenient for any would-be attackers. Most of them will look for the low-hanging fruit. Implementing several security layers on your network and your institution will send most attackers on to an easier target.