Many midmarket patch management programs fail to address an area of security that is often ignored: endpoint application security. When I've performed security assessments, for example, it's not unusual for a client to say, "Of course we patch our systems, we use Microsoft WSUS." Similarly, when people talk about vulnerability scanning, they often only consider network-based applications, such as Web servers, FTP servers, and the network components of the operating system. Ultimately, both of these approaches are incomplete.
I mention these examples to show how a critical element of system security can easily be overlooked -- the applications run on the organization's client computers, which are most often installed by users. In this tip, we'll discuss why it's important to focus on endpoint application security and how to take steps to do just that.
On any given day, there may be hundreds of endpoint application security vulnerabilities that need to be patched. Take a look at vulnerability clearinghouse sites like BugTraq to see all of the applications with vulnerabilities that could be in your environment and ask how often those applications have been patched in your environment. In November 2010 alone, Microsoft fixed two vulnerabilities in Microsoft Office that allowed for remote code execution upon receipt of a malicious Office document.
As another example, let's consider a recent vulnerability in Adobe Flash Player. In late October 2010, threat researchers identified malware "in the wild" exploiting this vulnerability. One documented example of this malware spread through a PDF attachment in an email designed to look like a news release from USAJobs.com. When the PDF was opened with Adobe Reader the malware would be executed on that computer. Adobe released a security advisory about this vulnerability, which affected Flash Player, Reader and Acrobat. This was what is commonly referred to as a "zero-day" vulnerability in that it was not publically known and a protective security patch was not available beforehand. (Adobe released a security advisory to correct this problem on November 4th, 2010.)
The point of these examples is to illustrate that vulnerabilities in end-user applications are common and can result in system compromise. Even though some applications, such as Adobe Flash, will indicate a new version is available, a user may neglect to perform that update or the update may fail. When our patch and vulnerability management strategies fail to adequately assess and protect those applications, we are leaving our network vulnerable to attack.
Steps for improving endpoint application security
With that in mind, here are some initial questions to ask yourself in order to start the process of improving the endpoint application security posture of machines in your organization:
- Are my applications now patched? Most Adobe products will auto-update, but have they?
First, it's important to know your network landscape. As a security practitioner and/or system administrator, you need to a href="https://searchmidmarketsecurity.techtarget.com/tip/Network-security-begins-with-device-discovery-and-assessment">know what you must protect because it is your battleground. This knowledge must include the applications installed on desktops (and servers) across your organization. There are several ways to accomplish this. You can use inventory/management software, such as that offered by Microsoft, IBM BigFix, Lumension Security Inc. and numerous others. Additionally, you can use network-based vulnerability assessment tools in an authenticated scan mode, which allows the scanning tool to interact with the client operating systems and collect far more data than in a standard unauthenticated scan. Vulnerability scanners from vendors including Microsoft (MBSA), Tenable Network Security Inc. (Nessus), Qualys Inc. and Rapid7 LLC all support this type of data collection.
- Have any users been compromised and did antivirus detect and stop the resulting malware, or have infections spread?
Second, how can you know if a user was compromised? If we assume the only vector used was email (and it probably wasn't), you could use email gateway logs to look for suspicious PDFs. That is likely to require a lot of effort and still won't be particularly conclusive. Chances are you won't be able to determine if your organization was exploited by an attack. Instead, reassess the operational state of your antivirus deployment: Is it deployed to 100% of user workstations? Are 100% of the antivirus clients regularly updating? Which malware has been detected recently? You could look for antivirus warning signs, such as any computers that "clean" the same malware repeatedly (which means they are not actually cleaned.) Most antivirus products indicate the action taken by the antivirus product when malware has been found; is it ever showing "left alone" or "no action taken?" If you see any of these warning signs, an endpoint has been compromised by something. Additionally, you can look at Web proxy and firewall logs to identify any users making suspicious Internet connections. Many proxies will categorize traffic; examine these logs for visits to known malware and botnet sites.
- How could I have prevented this exploit from working and how can I stop others in the future?
Third, what compensating endpoint application security controls could protect against an exploit of an end-user application vulnerability? Do your users have local administrative access? Generally speaking, users shouldn't be given administrator-level access unless it is absolutely necessary, although this is a common practice. Removing administrative access is often politically difficult, as it may force business process changes or cause end-user dissatisfaction, but it prevents malware infections and helps to ensure a more controlled IT environment. Have you enabled Data Execution Prevention or used Microsoft's EMET to protect the operating system and common applications, including Adobe, from common attack techniques? Although I do not know if an exploit against the Adobe vulnerability of late October would have been stopped by EMET, other Adobe exploits have been.
Lastly, it's highly advisable to restrict what applications users can install on their workstations to avoid Trojans, licensing issues and a variety of other time-consuming security headaches.
As the defense posture of operating systems improves, attackers have increased their focus on the applications end users commonly use. To keep your SMB secure, ensure your security controls compensate for the applications end users operate, even if those applications are not network-based (such as Acrobat and Office).
About the author:
Tom Chmielarski is a senior consultant with GlassHouse Technologies, Inc.