Unauthorized software can be a big problem for some companies. Attackers are constantly looking for vulnerable targets to hack by tricking users into downloading malicious files. Unauthorized software increases the risk of outsiders gaining access to sensitive data. Any software that is not authorized is likely managed without proper patching, updates, configurations, and security protocols. Without the knowledge of agency software, IT managers cannot fully protect their data and information.
The Department of Homeland Security included Software Asset Management (SWAM) is in phase one of its Continuous Diagnostic and Mitigation (CDM) program to put more focus on the problem of unauthorized software. The objective of SWAM is to give IT administrators visibility into the software installed and used on their network. By gaining visibility they can remove and manage any potentially harmful software.
Application whitelisting is a key component of CDM SWAM and allows only what has been approved to execute, while blocking all other software by default. It must be implemented effectively or it can carry significant maintenance and usability implications.
Seven key guidelines to prevent unauthorized software:
1. Catch it at the beginning.
The first step is to prevent unauthorized software from even entering your network. Agencies should have specific groups who are responsible for obtaining, testing, approving, deploying, and maintaining software so that end users cannot obtain it from external sources. Unauthorized software is often found in email, on the web, and in removable media. Security teams can block files with extensions of known harmful files (.exe, .msi, .bin) along with mime types via existing email and web gateway technologies. Practices like application whitelisting can block known extensions and file types entirely if not authorized. This may stop some attackers but determined individuals will use alternative methods to get past these roadblocks.
2. Don’t forget active content and browser extensions.
A whitelisted application can still be attacked via ActiveX controls, java, and browser extensions. Active content can also be installed without knowledge of the user by just browsing the internet. Unauthorized software installation can be prevented by enforcing local browser/client settings or blocking known harmful network requests at perimeter security gateways.
3. Keep administrative privileges at a minimum.
Access to administrative privileges could lead to running installation packages and installing malicious, unknown software. Administrative access allows users to change system configurations to hide their activity and hide the use of dangerous files. Keeping administrative privileges to a minimum allows easier maintenance and knowledge of who is downloading files and where they are coming from.
4.Use the Audit/Monitor Mode.
For large agencies it could take months or years to get a complete list of authorized software. However, most whitelisting applications offer an “audit” or “monitor” mode to provide visibility of what software is being used throughout the organization. The audit/monitor function can help determine which applications should and should not be permitted.
5. Create a baseline.
Achieving effective whitelisting across a large agency can take a lot of time. Create a “temporary whitelist” with the current authorized software. This baseline can be used to ensure no additional software is permitted into the network while current software is being assessed.
6. Keep Stakeholders in the loop.
It is important for stakeholders to be aware of unauthorized applications because of the potential blocking of certain business processes. Problems can arise as applications that were previously permitted are now being blocked. Having a clear communication plan can prevent anger and frustration among stakeholders and make it clear which applications are approved, and which are not.
7. Prepare for emergency requests.
Whitelisting can take a long time and some applications that have yet to be approved may be required for a critical and time-sensitive case. Emergency “firecall” accounts and processes can be established to ensure the temporary authorization of these processes. Being prepared for a situation like this can save time and could be crucial for an emergency case.
Following these recommendations can help an agency monitor their network and prevent harmful software from entering. Each agency is different and not one practice fit all. It is important to create a plan tailored to your company so unauthorized processes cannot wreak havoc on your software.
CCNY Tech has been in business since 1988 and has built many long term relationships with companies, universities and other organizations by providing great value and outstanding customer service. Call CCNY Tech at 1-800-566-4786 or fill out the Contact Us form to learn how we can improve your IT requirements.