The gap between software patched by IT departments and the applications cyber-criminals actually target is leaving organisations at a greater risk of attack. And despite system administrators' efforts to keep Microsoft-supplied packages up to date, non-Redmond software is almost exclusively responsible for the growth in …
RE: Stefan Frei, research analyst director.
Can you confirm the author has met said analyst, and it isn't just a lazy attempt at pseudonym.
If that's the same
Stefan Frei who officiates on that quiz show, I think I'd like a second opinion -- he's great at what he does but he did once say that rockets run on aerodynamic lift...
"Stefan Frei (born 20 April 1986 in Altstätten) is a Swiss footballer who currently plays for Toronto FC in Major League Soccer."
Probably not the same one, and it's barely possible that Stefan's parents are fans of the 1981 Cambridge Footlights Revue, or later work such as "Happy Families" written by Ben Elton, in which Stephen Fry played the extraordinary family doctor.
Did you write "How to win friends and influence people"?
What Corporations Should Do
The course of action should be
A) fully and quickly patching all installed applications.
B) openly punishing vendors of insecure stuff (such as Adobe) by uninstalling their wares and telling them of that.
Currently, Adobe is doing extremely well despite the fact that they are a major risk to spearphishing. Apparently nobody cares to act on their neglicience.
One thing you don't want to do as a corporation is roll out untested patches to applications. You could, potentially, end up causing a problem that requires hundreds (if not thousands) of PCs to be fixed.
If (as we do where I work) you support a lot of applications on a lot of PCs, you could also break one or more of the other apps, if they happen to rely on a system setting or file that the patch changes.
So, you have to balance the risk (and potential cost) of one or more security breaches against the risk of patching all your machines and cost of testing and installing that patch.
Of course, any halfway decent corporate networking/it dept will have all their mission critical systems hidden behind a decent firewall, which mitigates the threat of not installing patches somewhat (but not totally).
A firewall really does not mitigates these threats. If a user's PC is attempting to pass traffic out from the network through the firewall they will nearly always allow the traffic through. I suggest you google Spearphising and rethink your assertion.
Rethink the threats
If you think that your firewall is protecting you against unpatched acrobat or other end points you are mis-understanding the threat.
If you answer yes to the following you are at risk :-
1) Users have email access that allows them to receive email from outside of your organisation
2) Same users have internet access.
Spearfisher sends a well crafted email with a payload in an adobe file. End user opens it and Roberts your fathers brother, host is compromised, from the inside. Now you've got a whole word of pain in your trusted un-patched inner sanctum.
The hackers don't give a rats arse about hacking the mission critical stuff directly when they can compromise a badly patched endpoint that has authorised access to the mission critical system. job done.
Patching is expensive, of that there is no doubt. Misunderstanding what to patch and the relevance of firewalls in certain situations is priceless though.
Paragraph 1: A+
Paragraph 2: A+
Paragraph 3: A
Paragraph 4: D-
Firewalls offer some protection, but despite all the good points in paragraphs 1 to 3, the only way to protect the network is to prioritize the testing and deployment of patches while keeping the firewall, AV, and anti-malware stuff up to date. Having a good and properly patched proxy server/cluster in the mix would probably help too, but being as I've never worked the help desk anywhere that has one, I can't speak to its efficacy from experience.
Re: What Corporations Should Do
Their course of action should be:
A) Assess impact of bug.
B) Book test platform.
C) Install patch on test platform.
D) Test patch
E) Devise rollout plan for patch which should include:
1) Success criteria
2) Fail criteria
3) Rollback plan
4) Latest time at which rollback can be initiated.
F) Raise Change Request for affected platform.
G) Implement Change Request.
H) Assess success/failure of CR
Re: Re: What Corporations Should Do
Four months later.....
Re: Re: Re: What Corporations Should Do
...the next batch of patches has been released and all your resources are dedicated to checking the previous lot.
Re: @Stuart: Grades
This is actually what we do, and, TBH, I would always recommend up to date security systems, be they AV, Anti Malware or Firewalls.
I also realise that a firewall isn't a total solution, and I have not pretended it is (hence I used the word "mitigate" rather than "remove"), but most companies would want to weigh the cost of testing and patching against the cost of the possible consequences of not patching.
But I was trying to make the point that as a corporate IT person, you don't want to roll out untested patches.
From my own experience the main things that hold back upgrading software in an enterprise environment are testing and management. The testing takes too long and often not enough is known about what software is out there or how it reacts. For example my old company, the largest bank in the country, were still running Java 1.4 on several machines and 1.5 was the norm. To upgrade all the desktops to 1.6 and the latest revision takes so much regression testing and the windows are so large that by the time you have everything ready for upgrade you're 3 revisions behind.
Then there's the inadequate testing from vendors themselves. Adobe Reader X for example, an application that had previously just been a package and drop app with little or no testing suddenly broke over 1500 desktops when we deployed it and had to roll back to 9.4 (or whatever). And those are just 2 examples. Vendors need to test better and release code which is in a fit state and doesn't need patched every 2 days and they could help companies by providing more details of a change log and what testing will be required.
It's an opportunistic world...
...in which nobody, including vendors, *have* to do anything. Neither does a sysadmin.
If you don't like a particular vendor's approach to testing, you're free to choose another.
If an organisation doesn't like updating software as patches become available, it *has* to deal with broken desktops.
It's really that simple.
If an organisation wants to do the right thing, it will. If a sysadmin is frustrated because his hands are tied by an organisation not interested in doign the right thing, then he has the opportunity to:
a). Shine by devising a patch strategy, taking that as far up the chain as he can to get a result
b). Go and work somewhere else
c). Change career path to something less frustrating
d). Accept things as they are.
I'll break it down to you real simple like
Oracle (databases, java, etc.) and Adobe (you name it)
Some of the biggest headaches security groups in organisations face.
Why would anyone have the Adobe PDF Reader bloatware on their machine?
As artwork is often done in Adobe software. When emailed to my users they need to be 100% positive that it's perfect. Not a shade different, not a jaggered edge, not a millimeter different that the original.
As good as other 3rd party software is, and as much as I truly hate Adobe and their flakey, swiss cheese impersonating software - we are a service provider to the business, not the people that can outlaw software just because we think it's a bit shit.
For the same reason 90% of business and government run Windows: it's the accepted means of interchange amongst the largest number of businesses.
So, why to whine about these problems? Choosing MS Windows ensue so many problems and inconveniences. On my GNU/Linux systems I have no problem with "the accepted means of interchange." My pdf readers evince,xpdf,kpdf/okular and emacs doc-view perform much better than the Adobe's own reader. Evince, okular and doc-view can handle more formats than the latter, like dvi, djvu, ps. And, more importantly, no problem of untracked patching exists. Repositories are maintained by the professionals, notifications and upgrades get available almost right away.
Re: poor businesses
Okular is safe as houses in corporate environments. As soon as anyone uses out for meaningful quantities of printing they find out what a piece of shit it is. Evince is slightly better.
To me, the only thing windows really got right was printing.
printing is not viewing
And what is wrong with the non-Windows printing? Isn't it the CUPS' (lp, lpr compatible), drivers and ghostscript's jobs?
Spoken like someone who hasn't ever actually done anything than print from a locally attached printer on his desk.
Printing is really, really complex - I ran a project to replace all the printers at a FTSE100 UK financial company with centrilised MFDs. It was a complete nightmare and that was with officially supported software and hardware - CUPS just didn't cut it, it was way too flaky, probably a driver issue, but nontheless the machines we were using made the cost of serving from Windows pail into insignificance, so wasn't an issue.
You're speaking like "having no clue" about the subject.
Firstly, the question was not CUPS as a server, but as client-side app. Moreover, It was whether one should blame a pdf reader for printing. Any *nix pdf reader uses CUPS for pdf2ps conversion, postscript language is then either understood by a postscript printer or translated to the language the printer understands through ghostscript and cups-raster. Thanks to the good part of Adobe, both postscript and pdf are open and well documented. Good drivers and foomatic area available and most printers are very good nowadays.
Secondly, you're as a Windie admin are making an elephant out of a mosquito. I had to manage some printing administration (along with other) at our University and cups behaves very well as both the client and the server. Problems and issues may arise, CUPS is a much better yet simpler system to work with.
Re: Re: poor businesses
> To me, the only thing windows really got right was printing.
If I had a £1 for every time I had to repeatedly empty the print spool (or is it even called a spool on NT.... a cue?) in windows.....
If you had £1 for every time you've had to restart something that you don't know what it's called? I'm guessing you'd have £1.
there was an alternative system, like an OS that had all the software packages within a some form of ...oh let's call it "a repository" which would allow you to update your desktops and servers in a planned manner having first gone through some sort of change control process first. Maybe where you could find alternatives like xPDF/Evince or OpenJDK, maybe where the underlying OS would be supported for 10 years with security backports, didn't demand hardware refreshes every 3 years, didn't seem to have problems with cruft requiring reinstallation and had proper privilege separation.
> implying that anything on Linux is invulnerable
I need a "barely suppressed laughter" icon.
linux desktops, what a brilliant idea
if only you could rely on the developers not to break working applications from one release to the next. If only the devs would keep the positions of config files in the same location and if only they would have consistent dependencies from one release to the next.
Desktop management hell
Linux servers on the other hand are brilliant things to work with.
i agree if you wanted to use fedora for your desktop but you just wouldn't in an enterprise environment .I have been happily using CentOS 5 (5.0 to 5.7, gotta update to stay safe) for *years* on the desktop (the conf files haven't changed location in all that time and it has all "just worked"), now migrating to CentOS 6 (6.2) and based on what is happening in fedora I am really looking forward to RHEL/CentOS 7 when it comes out the door.
We use CentOS because we can support it, for those without internal support RedHat will provide that.
Compared to being stuck on XP with no hope of upgrading either because of a lack of Win7 drivers for old hardware or the boxen being "too slow" - forklift upgrade...in this economic climate - I'll take linux on the desktop today.
Other than games i don't see why anyone would want to stay with windows.
If you have business apps that need XP then use your current licences to run an XP virtual machine and then at least your host OS will be update-able after XP goes EOL. After all Vt-x has been around since 2005.
Re: not necessarily
Slightly wrong. Some of the files have changed, but some of the change have been made by making the original file (probably in /etc) a link to the new configuration file. The other bastardization that's done is to add a new record type, which is a pointer to the new config file(s), and move all of the real configuration data into the new files.
@dogged - Almost invulnerable when managed by competent sysadmins
and way more manageable than Windows. Beside that, if I'm not mistaking, all those Adobe and flash player vulnerabilities affect only Windows. Now you go ahead and laugh if it pleases you.
Re: if only
I applaud you on your ability to miss the point so utterly and completely - well done.
The point is, any application is a threat vector. ANY application, regardless of OS.
So I shall continue to laugh at people who think "oh I'm on linux/OSX/whatever and therefore I am a) safe and b) MORALLY SUPERIOR to anyone on 'doze".
Because the real threat vector is those idiots. Stupidity is the largest possible threat to security.
@dogged: ride bene chi ride l'ultimo
Compared to MS Windows, Linux is really invulnerable. The issue we are commenting on is not present in the GNU/Linux and *BSD, unless users follow their "MS Windows habits"...
Re: @eulampios: e cazzata cosi
It is not and cannot be invulnerable. You're comparing a fortress which has been attacked and taken many time to one which has never been properly tested. NOT because it's clearly "better" in any way, merely because more obvious (and profitable) targets exist.
Re: @dogged: ride bene chi ride l'ultimo
It's nice that you keep supporting linux, but yet again you are wrong about Linux and Windows in the same comment. You then go on to suggest that you actually might see these issues in Linux, but it would be the fault of the user. Kind of like it is in Windows.
You also betray the mindset which will directly lead to systems you use being hacked - "It's not Windows, which is shit, It's Linux which is invulnerable!" will lead you to a level of complacency which may well result in your systems' downfall.
Re: if only
"if only there was an alternative system..."
One that is fast, stable, secure, has centralised development, is copyfree, comes with good documentation, has mature minded community support, and has variants which run well on both servers, desktops and laptops for the novice and pro alike?.. That would /have/ to be BSD then, eh? ;P
I really don't understand all the fuss and hype about Linux. (I am, of course, assuming that you were actually referring to Linux).
(Where's the Beastie icon?)
So, you extrapolate from the MS Windows experience. This extrapolation might not be true, don't you understand it. Once again, the security issue we are commenting on right now for Windows and Linux/BSD are very different worlds. One has central repos/ports. The other one lacks it. Period. Now continue with your extrapolations right from here.
It's nice that you keep telling me that I am wrong. My cowardly friend, can you please tell the article's author how wrong he is, since my conclusion was (partly) based on the mess Windows admins have to cope with.
I'd like to tell it in the 199th time that the level of possible vulnerabilities for MS WIndows and an average Linux distro are very different. Say, my intelligent mouse-clicking expert, I've never heard that the RedHat, FreeBSD foundation, Debian or Canonical security people would suggest to not click on the "bad" links, to not visit "dangerous" sites and so on. Linux or BSD admins do not complain about the lack of security fixes notifications. On the contrary, there's a competition between the distros on who sends them first -- for every package they maintain (\approx 30,000 in Debian)
Re: @the coward
"I'd like to tell it in the 199th time that the level of possible vulnerabilities for MS WIndows and an average Linux distro are very different. Say, my intelligent mouse-clicking expert, I've never heard that the RedHat, FreeBSD foundation, Debian or Canonical security people would suggest to not click on the "bad" links, to not visit "dangerous" sites and so on. "
No but you have no doubt heard recently about internet connected systems being hacked - cert authorities, cryptome, linux repositories etc - I guess they were all running Windows were they?
It's the meatsack that's the security issue in all cases. You know, a linux system with its security levels, modularity etc is only as safe as the admin made it. Bad admin, bad security. Windows (as in just the OS) security is pretty damn good these days.
Re: Re: @the coward
In any case, "just switch everything to linux" is a retarded idea.
Suppose you, with 10 years of experience in various linux flavours, are suddenly told everything is going Windows/Active Directory. Will you secure it well?
No. Because you don't know what you're doing.
The same is true for somebody who can design and implement a secure Active Directory forest - at least as secure as anything you can create. He can't just switch over to linux and magically make everything "better". And linux-based networks he puts together will be crap, just as any windows-based networks you put together will be crap.
Is it possible to create a secure Windows network and desktop? Absolutely. Try working some of the places I've worked, the military establishments, the defence ministries, the high finance houses. Windows has been evolved to sell into those houses.
All security is a trade-off against convenience. Those people don't care about convenience. and their networks are solid. Cold that be done with linux? Quite probably, yes. Should it be? Only if you want to spend far more than the cost-price of a Windows environment on retraining.
Could it be done _better_? Almost certainly not.
I did hear about infamous Windows running Diginotar, not sure what is used by the rest.
I also heard about the multitudinous victims of stuxnet, conficker etc.
When you install a GNU/Linux box, like Ubuntu, with the vanilla desktop setting, the only security measure you have to follow is get a powerful password, keep it in secure location, better in the head (I hear a lot of Windie admins and users enraged by this very "infeasible" task) and regularly follow the security updates notifications. It looks MUCH easier to me than "install a good AV, do not click on unknown web links, visit infected websites, open unidentified strange emails, insert "dirty" media, do not install from unknown sites etc"
Re: @AC: 14:56GMT
While I wouldn't laugh at Linux, you are actually right when you say that those who are arrogant enough to believe their systems are invulnerable purely because they are based on a particular OS.
Reminds me of a discussion that pops up from time to time on a forum I manage. We sometimes get users saying that because they have "properly" secured their systems and are careful about sites they visit and the emails they open, they don't need an AV installed.
While I agree that an AV slows down a system, my usual answer to them is to ask how they know their machines aren't infected.
Personally, I believe the only OS or software that is invulnerable is that which is installed on a machine that has good physical security around it, and is not connected in any way to the internet. Of course, such a beast is a rare thing now days..
Less Microsoft problems?
Yes but problems for other companies who write software for Microsoft's operating systems....
non-Redmond software responsible vulnerabilities?
"non-Redmond software is almost exclusively responsible for the growth in vulnerabilities .. if PCs are running older installations of Adobe Acrobat then systems can easily become compromised by targeted attack"
When an application makes a call to the API that results in a security breech, is this a vulnerability in the APP or the OS? For instance opening a PDF that makes a call to the API.
Re: OS or App?
If the API call results in an elevation of privileges, it is the OS's fault, fair and square, but the implications of the article are that 90% of attacks are not of this nature.
If it merely uses the current user's privileges to perform a malicious action, it is the App's fault. You can do quite a lot of damage without elevated privileges. All phishing attacks, for example, fall into this category and "emptying my bank account" is quite a lot of damage. Depending on network security, you might also be able to transmit company secrets to an IP address in Shanghai. (See the Nortel story.)
There is pattern though: all of these crippled apps somehow gravitate towards the good 'ol Redmond-made OS. Say nothing about the fact that a more secure Repo or appstore based mechanism to update and install software is still a wished-for luxury for the said OS.