Going “rogue” is often characterized as being a renegade: “no longer obedient, belonging or accepted, and hence not controllable or answerable.”
When is software rogue? In today’s fast-paced world of data, software that’s gone rogue can run the gamut from unapproved software introduced from BYOD (Bring Your Own Device) policies to an approved operating system on a server that has passed its end-of-life (EOL) or end-of-support (EOS) dates.
Why does it matter? Being rogue, the software runs unbeknownst throughout your systems, creating possible security vulnerabilities for the entire organization. The vulnerability can lead to cyberattacks, unauthorized access, security breaches and more.
More and more employees are bringing their own personal devices to work, but many companies still don’t have formal BYOD programs or policies in place. In a recent BDNA survey study, 26.6% of those surveyed admitted their organization had no BYOD policy. Personal mobile phones are the most common, but personal laptops and tablets have become almost as common.
While enterprises that allow BYOD devices have experienced reduced IT costs and increased employee productivity, there are downsides. The most fundamental issue is that the company doesn’t own the device, and therefore has little to no control over the software deployed on the device. This opens a real potential for security risks because IT has suddenly opened the door of having to deal with a plethora of devices, configurations, applications, software versions and more.
Added to that complexity are additional exposures, such as cookies and viruses on the device that may even infiltrate the device unbeknownst to the owner, without any security checks in place. In essence, the software runs rogue within an organization through its introduction into the environment through a BYOD effort. In the same BDNA survey, respondents stated that data leaks were the biggest BYOD concern for their organization.
A personal device asset management strategy can help with challenges such as deciding which devices to support, whether to allow employees to choose and bring their own devices into work, and how to handle security vulnerabilities potentially introduced through personal devices. It also allows companies to compartmentalize personal and corporate data through the use of data containers, making the wipe of corporate data easily executed. Within discovery and asset management tools, the IT department has visibility on when, how long and how many times an application on a personal device has been used. Inventory is a core part of any strong security solution, not only because it provides visibility, but also because it can help identify software that’s gone rogue or unauthorized devices with ease.
Asset management enables a company to unify data silos and improve efficiencies across the enterprise. It reduces compliance risk and drive corporate standards. It enables a company to drive strong IT business alignment, providing better IT service management, greater transparency into IT spend and more. Companies benefit from an asset management solution because it enables them to learn, reconcile and analyze the personal device data as well.
Asset management tools are a vital component of any enterprise IT BYOD management strategy because they provide a global view of IT architecture, whether fixed or personal, and a detailed, up-to-date analysis of hardware and software assets. Automated approaches enable the more frequent checks required.
For many organizations, IT asset management is beginning to overlap with data security processes because the looming consequences of not managing end-of-life (EOL) software are too great to ignore. In the event the software becomes obsolete, it becomes a magnet for hackers looking for vulnerabilities. In the same survey looking at BYOD trends, BDNA discovered that 51.6% of organizations do not have a process for handling EOL software. In fact, software vulnerabilities in commercial products are the biggest source of data breaches in the enterprise. Not managing end-of-life of enterprise applications has major implications on enterprise security, compliance, cost of support and the availability to maintain critical processes.
The challenge is that technology vendors don’t always diligently publish the EOL dates for all of the software they sell, leaving IT teams to their own devices. IT teams are tasked to manage their own software assets and plan their application portfolio efficiently to retire applications in a timely manner.
In one organization with more than 550,000 software installations, 56 percent of their software was found to be EOL, posing a very high security risk. More than 6,350 instances of the software installed had come to EOL more than 14 years before and included applications from Microsoft, SAP, IBM, Symantec and more.
This is where asset management tools that automatically provide visibility into the entire asset lifecycle, including EOL dates for application software, become extremely useful. Such tools go beyond providing visibility into IT networks because they are able to analyze the database and alert IT managers about what assets are end-of-life, nearing end-of-life, approved and unapproved and/or out of configuration. This increased awareness allows organizations to not only be proactive about their security needs, but also enables them to leverage their data more effectively.
While EOL software poses a difficult challenge to an organization, end-of-support (EOS) software can create an even more difficult scenario because it is often more difficult to track. EOS means the vendor has chosen to no longer support a specific software version with the release of subsequent versions. Typically, vendors often cease support of previous versions of their products when they introduce a new version. Vendors often make determining EOS dates more difficult to find than corresponding EOL dates. Sometimes the announcements are subtle with the announcement of a new release. The EOS software now becomes a haven for hackers to exploit the software, knowing the vendor no longer supports it and offers no protection to the user.
Asset management tools are the saving grace in helping organizations determine their security vulnerability from EOS software. Using asset management tools armed with EOS information, the organization’s software assets can be regularly checked for EOS, and when detected, action can be taken. EOS software can run rogue in an environment for any length of time if there isn’t a systematic approach for determining whether it exists.
While visibility and having a reliable asset management practice in place are key to finding the software running in your environment, assessing the real vulnerability of your software itself becomes an additional crucial step. The ability for IT managers to be able to identify risks and vulnerabilities of the software running within their environment is key in aligning their Governance, Risk and Compliance (GRC) standards across products to make timely decisions about what to install, patch or disable.
Unverified software in your environment can be highly vulnerable to security threats. The National Institute for Standards & Technology (NIST) supports the measurements of the smallest of technologies to the largest and most complex of human-made creations. NIST manages the National Vulnerability Database (NVD), a repository of standards based vulnerability data that enables automation of vulnerability management, security measurement, and compliance.
Common Platform Enumeration (CPE) is a standardized way to name software applications, operating systems, and hardware platforms. CPE combines a suite of tools to help automate vulnerability management and evaluate compliance with federal information technology security requirements. CPE is used to correlate a product to a Common Vulnerabilities and Exposures (CVE) level. The CVE level is specifically called the Common Vulnerability Scoring System (CVSS), which scores the vulnerability (or CVE) on a scale of one to ten, in the way of risk. A software product with a high CVE level (9 or 10) is considered highly vulnerable to security threats, while a lower score (1 or 2) indicates a lower vulnerability risk.
Organizations can analyze software and hardware assets for security vulnerabilities or exposures using the CVE dictionary, referring to assets by the unique CPE identifier. A solid asset inventory management tool that includes the CPE correlation to a product and the corresponding CVE level are useful for an organization to understand its total security risk.
In the organization mentioned previously with more than 550,000 software installations, the team discovered that more than 100,000 of their software installs had a CVE level of “9” or “10,” the highest possible security vulnerability scores derived as part of the CVSS. The results demonstrated that the organization was highly vulnerable for a cybersecurity attack or security breach.
Identifying Your Risk
Identifying your risk is the first step in eliminating security concerns. The key component to identifying the potential security risk involved with software that’s gone rogue begins with having visibility of your asset inventory. Visibility of your asset inventory enables an organization to identify its security risk and vulnerabilities:
- An automated discovery approach gives you an up-to-date view of asset data easily and drastically reduces the effort of managing assets.
- Asset inventory management tools that provide visibility into EOL dates are extremely useful because vendors are not diligent in proactively providing that information.
- Asset inventory management tools that include EOS information help resolve EOS software security challenges.
- Assessing the security vulnerability of installed software is crucial in aligning Governance, Risk and Compliance (GRC) standards.
Stay ahead of the game, and leverage your asset inventory management system to find the software that has gone rogue in your environment.
Cathy Won, Senior Director of Product Marketing, BDNA
Image Credit: ESB Professional / Shutterstock