As an auditor, one of the most common weaknesses that I see is third-party application patching. Java and
Adobe applications have been the most popular attack avenues in recent years for two simple reasons: first, they are installed everywhere and secondly, they are not typically updated very quickly. Reasons for these applications not being updated in a timely manner range from the applications not being included in patch management processes to vendor requiring specific versions of the third-party software. Furthermore, having these applications up-to-date does not mean they are secure, it just means that some of the previously known vulnerabilities have been patched.
How do you mitigate the risk associated with vulnerable software? A primary tenant of security is limiting exposure. The simplest way to limit exposure of a vulnerable application is to only have it installed on systems where it is required for normal business operations. Java and Adobe software is commonly installed on all workstations for the sake of convenience. This definitely increases the vulnerability footprint, but if it is not required in normal day-to-day tasks does it really provide that much convenience?
Once the unnecessary software has been cleaned up, further mitigations can be considered. For example, the majority of Java vulnerability exploits are performed through the web browser plug-in. Java provides the ability to disable the web browser plug-in via the security settings. Again, if it is not necessary for normal business operations, it should be disabled. If you have systems that require a specific version of Java, you could consider deploying Java Deployment Rule Sets, which allow you to specify which applications or websites are allowed to use the old software.
One of my favorite security tools is Microsoft's Enhanced Mitigation Experience Toolkit (EMET). It is a small security utility that is specifically designed to mitigate security vulnerabilities in software. EMET has several features that are designed to detect and prevent common exploit techniques, but one of my favorite features is the Attack Surface Reduction (ASR) mitigation feature. The ASR feature can be used to prevent the user's web browser from loading external plug-ins (e.g. Java, Flash and PDF readers) on untrusted sites.
In addition to the technical restrictions, vendor management processes should be in place to ensure their software is updated in a timely manner to support the most recent versions of the third-party software. Vendor risk assessments should be adjusted based on the vendor's ability to update and support new versions of the underlying software. If a vendor is going to require you to use a vulnerable version of software, the risk associated with using that vendor also increases. Moving forward, make sure that third-party software dependencies are discussed and considered during any future software selection due diligence processes.
To conclude, applying the principle of least privilege and only installing the required software and features that a user needs goes a long way to reducing the risks of vulnerable software. If necessary, apply additional pressure to software vendors that do not support recently updated versions of the third-party software.
Craig Schurr is a Security and Compliance Consultant for CoNetrix. CoNetrix is a provider of information security consulting, IT/GLBA audits and security testing, and Tandem – a security and compliance software suite designed to help financial institutions create and maintain their Information Security Program. Visit our website at www.conetrix.com.
