8 ways to reduce unauthorized software

Featured eBooks
Whole-of-State Cybersecurity
The State of Trust in Government
Cybersecurity in State and Local Government
 

Connecting state and local government leaders

By

Unauthorized software not only increases the attack surface for adversaries, but it also hampers IT managers’ ability to fully secure their assets. Here are eight ways to get unauthorized software under control.

Attackers looking to gain access to government systems and networks are constantly scanning targets for vulnerable software and initiating campaigns to trick users into downloading and executing malicious files.

Unauthorized software increases the attack surface for adversaries, because any software that is not authorized is likely unmanaged, without proper patching, updates and configurations. Moreover, IT managers with incomplete knowledge of their agency’s software cannot fully secure their assets. Unfortunately, preventing and identifying unauthorized software in large government networks is often a formidable challenge. 

To help put the appropriate focus and resources on this challenge, the Department of Homeland Security included Software Asset Management (SWAM) in phase one of its Continuous Diagnostic and Mitigation  (CDM) program. SWAM is one of four main capabilities of the CDM program, and its objective is to give IT administrators visibility into the software and operating systems installed on a network so that they can manage authorized software and remove unauthorized software.

The goal is easy to describe but much more difficult to make a reality in a large agency where other sub-organizations may be responsible for diverse assets across the enterprise and where various business units have very different requirements for software. However, not every system needs the same level of control. IT managers should start by assessing the sensitivity of their business systems and unit functions, which will make it possible to craft a policy that is appropriate to the risk.

A key component of CDM SWAM – application whitelisting – allows only what has been explicitly authorized to execute while blocking all other software by default.  It is an extremely valuable security control, but it carries significant maintenance and usability implications if not implemented effectively.

Following are eight key guidelines and recommendations that can make tackling the issue of unauthorized software much more manageable:

1. Nip it at the source.

While a robust application whitelisting capability should be the goal, a first step is to prevent unauthorized software from even entering the government environment in the first place. Agencies should have clearly defined groups or individuals who are responsible for obtaining, testing, approving, deploying and maintaining software so that end users cannot obtain software directly from external sources.

Primary sources for unauthorized software are email, web and removable media. Security teams with strong perimeter security controls can block files with extensions of known executables (.exe, .msi, .bin) along with mime types such as binary/octet-stream, application/octet-stream and application/x-msdownload via existing email and web gateway technologies (including inside compressed files). Host-based controls can similarly block known extensions and file types or block removable media entirely if not authorized in the environment.

This practice may eliminate some of the obvious targets and force attackers to give up or develop more expensive techniques. But determined individuals will  use alternative methods (i.e., encryption) to get past file inspection capabilities.

2. Don’t forget active content and browser extensions.

Application whitelisting at the client level can be very effective to prevent stand-alone malicious programs from executing on the host. However, many whitelisting tools cannot effectively prevent the execution of active content or capabilities of browser extensions or add-ons.

For example, a whitelisted browser still provides a rich environment for potential attacks and execution of malicious mobile content via ActiveX controls, java and browser extensions. Active content is also often executed when simply browsing the Internet and can be installed without knowledge of the end user. Active content and extensions can be limited by enforcing local browser/client settings or blocking associated network requests for such content at perimeter security gateways.

3. Minimize administrative privileges.

End users on government workstations should never be operating with administrative privileges by default and should not even have an option to elevate themselves to administrators unless required and properly audited. Without administrative privileges, users can be prevented from running software installation packages or executing other binary content requiring registry modifications or other privileged actions.

Access to administrative privileges allows adversaries to install malicious software, change system configurations to hide their activities and more easily exfiltrate data. Potential damage of a system compromise is directly proportional to the level of user privilege obtained on the system, and adversaries with administrative privileges have everything they need.

4. Use audit/monitor mode.

Depending on the size of an agency, it could take months or even years to get to a complete, current and manageable whitelist of approved software. However, most application whitelisting tools offer “audit” or “monitor” modes to provide logging and visibility of what software is being executed throughout the organization. The audit/monitor mode can be used to determine which applications should and should not be permitted, It also facilitates tuning of associated policies prior to actually stopping the application execution. This capability lets IT managers see the potential impact of application whitelisting and should be used to set expectations throughout an agency to minimize negative impacts.

5. Draw a line in the sand.

As noted above, achieving effective application whitelisting across a large agency is neither trivial nor quick. Compiling a list of all the applications permitted within the enterprise from day one of the production capability is often not feasible. Instead, consider drawing a line in the sand with the current footprint of executable software. Essentially serving as a “temporary whitelist,” this baseline can be used to ensure no additional software is permitted into the enterprise while the current software is being assessed.

6. Confirm senior leadership support.

Application whitelisting means that any software currently in use but not approved will be prevented from executing, and any business processes dependent on such software will also be disrupted. Therefore, full support from senior leadership is critical to make sure efforts to address unauthorized software continue while also forcing non-compliant business unit applications and processes to take appropriate remedial actions.

7. Engage stakeholders early.

Because of the potential for stopping certain business processes from functioning, it is critical to identify all stakeholders and engage them early and often. Any actions that result in the blocking of some application or other communication previously permitted will almost certainly result in complaints or escalations if stakeholders were not engaged and given advance notice. A robust communications plan will help ensure stakeholders understand and support the efforts and are not surprised by any results.

8. Prepare for emergency requests.

Good planning and communications go a long way, but there will always be exceptions where someone did not or could not plan appropriately, requiring execution of an unapproved application for a critical and time-sensitive business need. A detailed plan is needed for such situations but this can vary depending on the level of senior leadership support and risk tolerance for an organization.

Although the team responsible for maintaining an application whitelist should generally be engaged –  even for emergency requests during non-business hours – resource constraints may limit this option. As an alternative, emergency firecall accounts and processes could be established to allow help desk or other personnel to provide temporary support of emergency requests if the risk to the agency is acceptable.

Following these recommendations should help agencies gain control of unauthorized software and realize the substantial benefits of an environment where malicious or unauthorized binaries are no longer able to wreak havoc. Particularly in large government environments, it is imperative to keep in mind that the details to address this issue within each organization are unique. One size does not fit all, and appropriate approaches and timelines can vary significantly based on organizational structures, maturity, existing processes and risk tolerance.

NEXT STORY: Apps not safe for work? NIST drafts guide for checking

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.