Application Vulnerabilities: Protecting Your Network from a Growing Threat
May 11, 2012
Every year, thousands of new Common Vulnerabilities and Exposures (CVEs) are discovered and reported, any one of which could expose your systems to remote access, denial of service, and other attacks. Keeping your systems secure in the face of this threat can be a daunting task. Understanding current trends in the industry will help to ensure that your company stays on top of it.
The Shift to Applications
Security administrators often associate technical security with operating systems; however, this ignores an important part of the problem. Since 2005, operating system security flaws have represented a steadily decreasing percentage of reported CVEs. Although there continue to be CVEs discovered in operating systems, most businesses today have fairly effective processes for operating system patch management. In response, hackers have discovered an appealing new target: end-user applications.
The continued increase in reported CVEs is due almost entirely to end-user applications, such as Internet Explorer, Flash player, Excel, Java, and Firefox, which are often overlooked by company security procedures. In 2010, application vulnerabilities are projected to comprise over 75% of all reported CVEs. Additionally, third-party applications (i.e. software not developed by the operating system vendor) account for the great majority of application CVEs.
Security flaws in installed applications present as much risk to computer systems as security flaws in the underlying operating system. End-users running vulnerable software can easily open themselves to an exploit by opening a malicious document or even browsing to an unsafe webpage.
Managing application patches, especially for third-party applications, can be much more difficult than managing operating system patches. Most operating systems include free, effective tools for updating patch levels, and this often includes other software developed by the same vendor. For example, Microsoft provides Windows Server Update Services (WSUS) to update both Windows and its Office, Internet Explorer, and .NET software. However, these solutions do not cover third-party applications, such as Adobe Reader or Sun Java.
As a result, most organizations find that third-party applications are the culprits for the bulk of their vulnerabilities. Hackers are well aware of this fact.
How to Protect Yourself
A comprehensive security posture designed to protect against these technical vulnerabilities should include the following elements:
- Unified patch management: Although it is possible to install third-party patches manually, this process quickly becomes overwhelming and unreliable. Fortunately, there are unified patch management utilities available that can centralize and automate the patch deployment process. These solutions cover operating system and application patches from most major vendors, and can manage both servers and user workstations.
- Removal of unnecessary software: Whenever possible, the most effective solution is to simply remove any software that is not required on your computer systems.
- Security awareness training: Proactively alert your users to the dangers of malicious files and websites that may exploit any unpatched vulnerabilities. Web access filtering will also reduce your exposure.
- Vulnerability monitoring: Periodic vulnerability scans – both internal and external – can identify any patching exceptions and resulting vulnerabilities in your environment. This allows you to remediate any problems that may be found and to evaluate the overall effectiveness of your patch management process.
The hackers aren’t resting and neither can your organization. Establishing controls to protect your organization from the growing threat associated with third party applications will help to ensure that your systems remain secure.
To discuss what vulnerabilities you may be missing and how to catch them in the future, contact Ryan Rodrigue at firstname.lastname@example.org or 617-981-9837.
Visit the IT Assurance & Security page of our website to learn more about our services.