3rd Party Applications Open Holes Too!

For years, we’ve heard the ire of security professionals worldwide over the vulnerabilities of the Microsoft Operating Systems.  Many touted Linux or even Macintosh as the answer.  Unfortunately, there is scant support for these operating systems in the way of desktop applications in particular.  This kept many businesses from making such a move. 

The answer from a security perspective was to keep the OS religiously patched, and run bloated up-to-date desktop anti-virus programs.  However, the one thing that is often overlooked in this approach is 3rd party applications.

I, for one, install at least the following applications without fail on every new desktop I build or rebuild:

• Adobe Reader
• Adobe Shockwave
• Adobe Flash Player
• Jave Runtime Environment
• Microsoft Media Player
• Quicktime Player

I’m sure there are many other IT professionals that do the same.  Unfortunately, these often get overlooked when it comes to patching.  There is no simple “Automatic Updates Service” that can be enabled for many of these like there is in MS Windows. 

What many don’t realize is that new vulnerabilities are discovered in these applications just as frequently (if not more so) as there are in Windows.  In many cases, these vulnerabilities can be exploited far easier than many Windows updates.  In addition, many are more dangerous in that they are usually targeted to specific businesses.  Imagine an exploit that a criminal could run by spamming a corporation with a PDF attachment.  This PDF attachment would then execute custom code that could then install backdoor applications for a hacker to use.  Trade secrets or private information?  Not anymore….

Next, there are the inappropriately patched systems.  For example, how many people realize that simply upgrading the Java Runtime Environment does not necessarily close the holes the old version created?  Did you know that you have to actually manually uninstall the old versions of Java?  By default Java’s installer does not do this thereby leaving the exploitable code on your system.

This is why patch management systems are so crucial for companies.  I’m sure when you lock the doors at night, you also close the shipping doors, the windows, and any other points of entry.  Likewise, you should be closing the points of entry into your data infrastructures as well.  If you can’t close them, for one reason or another, you should at least be aware of these points of entry and make efforts to minimize the risk your exposing your business to.

Spend an Hour Now…Earn Double That Later!

As I’ve been traveling the country lately, I’ve been learning more and more about how the PCI-DSS requirements are affecting businesses.  There does still seem to be quite a bit of mis-informatin as well as a lot of questions.  As a result, I’ve been changing the focus a bit.

I really do think companies should spend more time in training on PCI.  There is no better training, in my opinion, than that provided by auditors who have actually been in the field conducting audits.  By investing in training, staff and management can get a better understanding of security implications, the audit process, and why the PCI requirements are so important.  As a bonus, doing so will also aid in meeting PCI-DSS requirement 12.6 - “Implement a formal security awareness program to make all employees aware of the importance of cardholder data security.”  This training should be provided to everyone in the company, not just a select few.  I’ve found that companies that take this approach get better cooperation from their employees and have an easier time making it through the audit.

Next, management should get involved regularly in user groups and public forums.  Myself, and many other auditors like me, frequently respond to posts on sites such as the PCI Knowledge Base.  The beauty of these public forums is that others can benefit from similar inquiries.  In addition, we’ve all seen how different auditors have different points of view on various topics.  This unfortunately feeds some of the misinformation.  Public forums, like the PCI Knowledge Base, can help combat that as auditors will discuss their reasonings behind their points of view and challenge one another in hopes of coming to a more unified/educated approach.

I know time is valuable, but spending a few hours now on these suggestions will offer great returns in both the security of your data and offering a more pleasant experience during your audits.