Applications, virtualization, and devices: Taking back control

Transcription

1 Applications, virtualization, and devices: Taking back control Employees installing and using legitimate but unauthorized applications, such as Instant Messaging, VoIP, games, virtualization software, and unapproved browsers are a real and growing threat to business security and productivity. Removable storage media and wireless protocols make the challenge of securing data even more complex. This paper explains why it is important to control unauthorized applications and devices, discusses the different approaches, and highlights how integrating this functionality into malware protection is the simplest and most cost-effective solution. A Sophos white paper August 2008

2 Applications, virtualization and devices: Taking back control The changing perspective An evolving workforce, reared on Web 2.0 technologies, is bringing a different perspective to how computers are used within an organization. With a mindset that is highly tuned to sharing information and applications, and ing and messaging friends, the new employee 2.0 is redefining how individuals interact with the internet and the IT environment as a whole. While the new internet technologies they are exploiting can bring business value in helping employees communicate, share files and work collaboratively online, they also pose a range of new threats. Internet-enabled applications such as Instant Messaging (IM), peer-to-peer (P2P) file-sharing applications and Voice over Internet Protocol (VoIP) services have been causing concern for some time. A Sophos online poll asking IT administrators what kind of software applications they would like to prevent their users from being able to access and use shows that even by late 2006 they recognized the need to be able to exert more control and to prevent users from installing and using unwanted applications. 1 Today the problem is even more pressing. While businesses have put in place systems and processes to defend against malware, these defenses do not typically provide adequate protection against the new set of threats posed by today s user behavior. Employees, many of whom have considerable IT knowledge and expertise, continue to introduce applications onto their desktops very often simply to make the tools they work with more suited to their own idiosyncrasies unaware of the associated potential risk. Internet browsers Many people are rejecting company-approved web browsers in favor of other browsers. Although these are a very real threat as hackers regularly exploit unpatched vulnerabilities in browsers to infect users computers, nearly a third of respondents to a Sophos poll said they did not consider browser control important. 2 Instant Messaging 86.4% VoIP 86.1% Peer-to-peer 86.5% 42% % 30% 42% Is essential to block unauthorized web browsers or out-of-date versions of approved browsers 28% Want to block unauthorized web browsers or out-of-date versions of approved browsers 30% Browser control not important Games 90.4% Distributed computing applications 89.3% Figure 1: Applications essential to block 1 28% Figure 2: Applications essential to block 2

3 Virtualization Of particular concern currently is the growth in the use of unauthorized virtualization software on company desktops and laptops. Virtualization separates the logical (software) from the physical (hardware) allowing multiple systems to be run on one piece of hardware. It can represent real value at time of increasingly constrained IT budgets and organizations deploying managed virtual desktops are running no significant increased risk. Unmanaged virtual computers, on the other hand, create a black hole in an organization s security system, with applications running in an environment about which IT administrators are completely unaware. The ease with which virtual computer image files can now be downloaded means there is a much higher risk of end users running unauthorized applications from games to browsers to beta software in a virtual environment, making corporate systems and data much more vulnerable than in the past. The business risk The unauthorized or uncontrolled installation and use of applications, devices and network protocols can negatively impact organizations in several ways. Security risks The risk of infection through unauthorized applications is clear. IM-based malware attacks, for example are growing exponentially, and P2P applications are similarly on the increase and are notorious vectors for malicious code such as remote command execution, remote file system exploration or file-borne viruses. Infected files can also come in through wireless connections. Once infected, computers can be used to send out spam or launch denial of service attacks, or to spy on and capture confidential business data. As discussed above, data can also be easily taken outside an organization on CDs and USB keys and many recent high-profile incidents confirm how easy it is for these then to be accidentally lost. Removable storage devices An organization s vulnerabilities are exacerbated by the unchecked ability to launch unauthorized applications from removable storage devices like USB keys, CDs and DVDs, and wireless networking protocols, such as WiFi, Bluetooth and Infrared particularly if these applications are then run in a virtual environment. Compounding the problem is the use of these devices and protocols to transfer business data around and out of an organization. In a recent survey, the inadvertent exposure of company confidential information was cited as the number one threat, above viruses, Trojans and worms percent of data leakage incidents are due to accident or stupidity 4 Legal and compliance breaches The installation of unauthorized applications and devices can pose significant legal risk as well as security risks. The need to protect data is particularly important. Government regulations such as the USA s Sarbanes-Oxley Act and HIPAA (Health Insurance Portability and Accountability Act), Canada s PIPEDA Personal Information Protection and Electronic Documents Act), and the UK s Data Protection Act place requirements on IT administrators to maintain and protect data integrity within their networks. There is further pressure from recognized industry bodies, such as the Center for Internet Security (CIS Benchmarks) and the Payment Card Industry (PCI DSS). In addition to the repercussions of failing to protect data properly, there are other legal pitfalls. For example, the content of IM chat often

4 includes attachments, jokes, gossip, rumours and disparaging remarks, confidential information about the company, employees and clients, and sexual references. Extra IT support burden As discussed, unauthorized applications and devices can introduce infection to the network, but even without this, they can create an additional IT support headache. Applications that are not properly tested and deployed can cause stability performance issues across the network. Network and system overhead The corporate network bandwidth and computer processor power consumed by unauthorized applications can have a direct negative impact on network resources and availability. Skype End User License Agreement Skype Software may utilize the processor and bandwidth of the computer (or other applicable device) You are utilizing, for the limited purpose of facilitating the communication between You and third parties. 5 For example, distributed computing projects harness the spare processing power of millions of computers to help create models or simulations of scenarios such as climate change. VoIP also uses such spare capacity. When I wrote Solitaire for Microsoft, I unleashed a monster of unproductivity onto the world. If I had a penny for every hour that has been wasted playing Solitaire in the office, I could hire Bill Gates as my golf caddie. 6 Employee productivity issues Although applications like VoIP and IM can have business value, in most cases they are a distraction and are not required by end users for business purposes. In a virtual environment, applications that are normally banned by an organization, such as games, can be freely run, or users can simply use the environment to organize their own private affairs, all of which has a hugely adverse effect on productivity. The challenge of the legitimate The difficulties presented by some legitimate software applications raise particular challenges over and above straightforward protection against malware. The fundamental step for organizations to increase security and productivity is to create and enforce an acceptable use policy setting out rules on what applications and devices are and are not approved, containing prescriptive advice on best practice, and clearly defining prohibited behavior. Beyond this, from the IT administrator s perspective there are two distinct challenges: Allowing controlled use of authorized applications, devices and network protocols. Preventing use of unauthorized applications, devices and network protocols. In practice this presents a significant challenge, not least because many users have to be allowed to be local administrators, being given privileges necessary to download applications that they need to do their job, for example downloading updated Adobe Acrobat software. However, this means that they can also download a variety of other software that they might want to install and use. This makes life particularly difficult for the IT administrator: malicious software would be blocked by anti-virus software but applications like IM are not malicious in any way.

5 Control strategies In response to the wide-ranging threats posed by the unauthorized use of applications and devices, IT administrators have tried a number of different strategies. While each strategy has some merit, there are also disadvantages. while application control products do a great job at blocking execution of applications, it is more difficult to stop the initial installation of applications. 7 Locking down computers One of the most straightforward ways to stop the installation of unauthorized applications is simply to enforce a blanket lockdown on all computers, or to ban the unauthorized use of removable storage media, and to assign only limited administrator rights. However, this is precisely where application control has broken down in the past. Some departments notably IT and technical support have a clear and obvious need for administrator rights. It might seem an obvious answer to allow these technical groups to install applications and to prevent everyone else from doing so. Unfortunately in practice this is not as simple as it sounds. Many organizations find it expensive to lockdown computers for some or all of their non-technical end users. The inflexibility of the strategy means that countless policies need to be created. For example, many simple Windows functions, such as adding a printer driver, changing time zones and adjusting power management settings, are not allowed with a standard user account and therefore do require constant changing of the assigned rights. The increased staffing requirements and response times related to centrally administering every change to a computer create a significant cost for the business. Installing specialist control products There are products on the market that are designed specifically for controlling which applications can and cannot be run on a computer. These products typically involve validating usage against large databases of allowed and blocked applications. For IT administrators they are yet another product that needs to be evaluated, purchased, installed and managed. Management of these solutions is not an insignificant task and is often difficult due to the size and complexity of allow and block lists. In addition, while application control products can be effective in blocking execution of applications, it is more difficult to stop the initial installation. Finally, specialist application control products do not provide comprehensive protection against malware and businesses still have to invest in other security products to protect against viruses, spyware, and other threats. Implementing corporate firewall rules and HIPS Firewalls and HIPS (Host-based Intrusion Prevention Systems) are generally focused on blocking potentially malicious network traffic and attempts to execute a code, rather than controlling which applications users can and cannot install and/or run. They can play a role in limiting the use of unauthorized applications by controlling access to network or internet resources, for instance by looking for and blocking VoIP traffic, but are far from an adequate solution to this problem.

6 Getting more from an anti-malware solution Most anti-virus and anti-spyware solutions do not offer application or device control capability. However, a business will get more from its investment in protection against malware and save system and management resources if the same scanning and management infrastructure is used by the product to intercept and manage the use of legitimate software applications and devices. burden of updating onto the administrator and is also unreliable as users can simply change the filename to avoid the application being detected. A better approach is for the vendor to create and update application detection signatures in exactly the same way that malware detection is automatically updated, simplifying administration, updating and maintenance of detection. Deploy only one client Anti-malware is a necessary investment that IT administrators have no choice but to purchase, install and manage. Deploying a single client that incorporates anti-virus, anti-spyware, antiadware and control of unauthorized applications and devices will save time, money, and system resources, and improve security. Reduce the support burden By using signature-based detection that not only stops applications from being run but also blocks their download and installation, organizations reduce the time that their technical support staff have to spend sorting out computers that have been destabilized by the installation of unauthorized applications. Simplify control and policy setting Anti-malware solutions allow different policies to be set for different user groups. Being able to set policies to remove unauthorized applications and devices alongside anti-malware policies, can enhance efficiency and allow for specific needs of particular users. For example, VoIP or the use of USB keys could be blocked for office-based computers, but authorized for remote computers. Eliminate administrative overhead Using the same management and updating mechanisms for application and device control as for anti-malware software has obvious infrastructure and overhead benefits. However, the overall success of this combination of features, in terms of efficiency, depends on the actual way in which applications are detected. Conclusion The challenges posed by the installation and use of unauthorized applications and devices on company computers are significant. While there are a number of solutions available that help IT administrators to manage the problem, many require additional investment and, for many organizations, they can be expensive, unwieldy and difficult to maintain. A better solution is one which completely integrates the blocking of unauthorized applications and devices into the existing antimalware detection and management infrastructure. This gives IT administrators for whom IT antimalware protection is a must have a simple solution that removes the cost and management overhead from the equation. Some solutions require administrators to create their own application signatures using filenames that appear in the application, and to maintain allow or block lists. This approach is timeconsuming and IT resource-intensive. It puts the

7 Sources Sophos web poll, September 2006 Sophos web poll, May-June 2008 IDC, Information Protection and Control Survey: Data Loss Prevention and Encryption Trends, Doc # , March Skype End User License Agreement, March 2008, Wes Cherry, author of Microsoft Windows Solitaire, speaking to Sophos Windows Application Control Solutions Provide an Alternative for Desktop Lockdown, Gartner Inc. March 2006 Sophos Endpoint Security and Control uses a unified single client to protect against viruses, spyware, adware and hackers, and to control unauthorized applications and removable storage devices. It provides cross-platform security and control for desktops, laptops, file servers and mobile devices including Windows, Mac and Linux. An automated management console enables centralized deployment, updating, and reporting. To find out more about Sophos products and how to evaluate them, please visit Boston, USA Oxford, UK Copyright Sophos. All registered trademarks and copyrights are understood and recognized by Sophos. No part of this publication may be reproduced, stored in a retrieval system, or transmitted by any form or by any means without the prior written permission of the publishers.