Applications, virtualization, and devices:

Taking back control

Employees installing and using legitimate but unauthorized applications, such as Instant

Messaging, VoIP, games, virtualization software, and unapproved browsers are a real

and growing threat to business security and productivity. Removable storage media

and wireless protocols make the challenge of securing data even more complex. This

paper explains why it is important to control unauthorized applications and devices,

discusses the different approaches, and highlights how integrating this functionality

into malware protection is the simplest and most cost-effective solution.

Applications, virtualization, and devices: Taking back control

Applications, virtualization and devices:

Taking back control

The changing perspective

An evolving workforce, reared on Web 2.0 technologies, is bringing a different perspective to

how computers are used within an organization.

With a mindset that is highly tuned to sharing information and applications, and emailing and

messaging friends, the new "employee 2.0" is redefining how individuals interact with the internet and the IT environment as a whole. While the new internet technologies they are exploiting can bring business value in helping employees communicate, share files and work collaboratively online, they also pose a range of new threats.

Internet-enabled applications such as Instant

Messaging (IM), peer-to-peer (P2P) file-sharing applications and Voice over Internet Protocol (VoIP) services have been causing concern for some time.

A Sophos online poll asking IT administrators what kind of software applications they would like to prevent their users from being able to access and use shows that even by late 2006 they recognized the need to be able to exert more control and to prevent users from installing and using unwanted applications.

Today the problem is even more pressing.

While businesses have put in place systems and processes to defend against malware, these

defenses do not typically provide adequate protection against the new set of threats posed by today’s user behavior. Employees, many of whom have considerable IT knowledge and expertise, continue to introduce applications onto their desktops – very often simply to make the tools they work with more suited to their own idiosyncrasies – unaware of the associated potential risk.

Internet browsers

Many people are rejecting company-approved web browsers in favor of other browsers. Although these are a very real threat as hackers regularly exploit unpatched vulnerabilities in browsers to infect users’ computers, nearly a third of respondents to a Sophos poll said they did not consider browser control important.

28%

Virtualization

Of particular concern currently is the growth in the use of unauthorized virtualization software on company desktops and laptops.

Virtualization separates the logical (software) from the physical (hardware) allowing multiple systems to be run on one piece of hardware. It can represent real value at time of increasingly constrained IT budgets and organizations deploying managed virtual desktops are running no significant increased risk. Unmanaged virtual

computers, on the other hand, create a black hole in an organization’s security system, with

applications running in an environment about which IT administrators are completely unaware.

The ease with which virtual computer image files can now be downloaded means there is a much higher risk of end users running unauthorized applications – from games to browsers to beta software – in a virtual environment, making corporate systems and data much more vulnerable than in the past.

Removable storage devices

An organization’s vulnerabilities are exacerbated by the unchecked ability to launch unauthorized applications from removable storage devices like USB keys, CDs and DVDs, and wireless networking protocols, such as WiFi, Bluetooth and Infrared – particularly if these applications are then run in a virtual environment.

Compounding the problem is the use of these devices and protocols to transfer business data around and out of an organization. In a recent survey, the inadvertent exposure of company confidential information was cited as the number one threat, above viruses, Trojans and worms.3

The business risk

The unauthorized or uncontrolled installation and use of applications, devices and network protocols can negatively impact organizations in several ways.

Security risks

The risk of infection through unauthorized applications is clear. IM-based malware attacks,

for example are growing exponentially, and P2P applications are similarly on the increase and are notorious vectors for malicious code such as remote command execution, remote file system exploration or file-borne viruses. Infected files can also come in through wireless connections.

Once infected, computers can be used to send out spam or launch denial of service attacks, or to spy on and capture confidential business data.

As discussed above, data can also be easily taken outside an organization on CDs and USB keys and

many recent high-profile incidents confirm how easy it is for these then to be accidentally lost.

Legal and compliance breaches

The installation of unauthorized applications and devices can pose significant legal risk as well

as security risks. The need to protect data is particularly important.

Government regulations such as the USA’sSarbanes-Oxley Act and HIPAA (Health Insurance

Portability and Accountability Act), Canada’s PIPEDA Personal Information Protection and Electronic Documents Act), and the UK’s Data Protection Act place requirements on IT administrators to maintain and protect data integrity within their networks. There is further pressure from recognized industry bodies, such as the Center for Internet Security (CIS Benchmarks) and the Payment Card Industry (PCI DSS).

In addition to the repercussions of failing to protect data properly, there are other legal pitfalls. For example, the content of IM chat often includes attachments, jokes, gossip, rumours and disparaging remarks, confidential information about the company, employees and clients, and sexual references.

Extra IT support burden

As discussed, unauthorized applications and devices can introduce infection to the network, but even without this, they can create an additional IT support headache. Applications that are not properly tested and deployed can cause stability performance issues across the network.

Network and system overhead

The corporate network bandwidth and computer processor power consumed by unauthorized applications can have a direct negative impact on network resources and availability.

For example, distributed computing projects harness the "spare" processing power of millions of

computers to help create models or simulations of scenarios such as climate change. VoIP also uses such spare capacity.

Employee productivity issues

Although applications like VoIP and IM can have business value, in most cases they are a distraction and are not required by end users for business purposes. In a virtual environment, applications that are normally banned by an organization, such as games, can be freely run, or users can simply use the environment to organize their own private affairs, all of which has a hugely adverse effect on productivity.

The challenge of the legitimate

The difficulties presented by some legitimate software applications raise particular challenges over and above "straightforward" protection against malware.

The fundamental step for organizations to increase security and productivity is to create and enforce an acceptable use policy setting out rules on what applications and devices are and are not approved, containing prescriptive advice on best practice, and clearly defining prohibited behavior. Beyond this, from the IT administrator’s perspective there are two distinct challenges:

Allowing controlled use of authorized applications, devices and network protocols.

Preventing use of unauthorized applications, devices and network protocols.

In practice this presents a significant challenge, not least because many users have to be allowed to be local administrators, being given privileges necessary to download applications that they need to do their job, for example downloading updated Adobe Acrobat software. However, this means that they can also download a variety of other software that they might want to install and use. This makes life particularly difficult for the IT administrator: malicious software would be blocked by anti-virus software but applications like IM are not malicious in any way.

Skype End User License Agreement

3.3...Skype Software may utilize the processor and bandwidth of the computer (or other applicable device) You are utilizing, for the limited purpose of facilitating the communication between You and third parties.

Control strategies

In response to the wide-ranging threats posed by the unauthorized use of applications and devices, IT administrators have tried a number of different strategies. While each strategy has some merit, there are also disadvantages.

Locking down computers

One of the most straightforward ways to stop the installation of unauthorized applications is simply to enforce a blanket lockdown on all computers, or to ban the unauthorized use of removable storage media, and to assign only limited administrator rights. However, this is precisely where application control has broken down in the past.

Some departments – notably IT and technical support – have a clear and obvious need for administrator rights. It might seem an obvious answer to allow these technical groups to install applications and to prevent everyone else from doing so. Unfortunately in practice this is not as simple as it sounds.

Many organizations find it expensive to lockdown computers for some or all of their non-technical end users. The inflexibility of the strategy means that countless policies need to be created. For example, many simple Windows functions, such as adding a printer driver, changing time zones and adjusting power management settings, are not allowed with a standard user account and therefore do require constant changing of the assigned rights. The increased staffing requirements and response times related to centrally administering every change to a computer

create a significant cost for the business.

Installing specialist control products

There are products on the market that are designed specifically for controlling which applications can and cannot be run on a computer.

These products typically involve validating usage against large databases of allowed and blocked applications.

For IT administrators they are yet another product that needs to be evaluated, purchased, installed and managed. Management of these solutions is not an insignificant task and is often difficult due to the size and complexity of allow and block lists. In addition, while application control products can be effective in blocking execution of applications, it is more difficult to stop the initial installation.

Finally, specialist application control products do not provide comprehensive protection against malware and businesses still have to invest in other security products to protect against viruses,

spyware, and other threats.

Implementing corporate firewall rules and HIPS

Firewalls and HIPS (Host-based Intrusion Prevention Systems) are generally focused on blocking potentially malicious network traffic and attempts to execute a code, rather than controlling

which applications users can and cannot install and/or run. They can play a role in limiting the use of unauthorized applications by controlling access to network or internet resources, for instance by looking for and blocking VoIP traffic, but are far from an adequate solution to this problem.

Applications, virtualization, and devices: Taking back control

Getting more from an anti-malware solution

Most anti-virus and anti-spyware solutions do not offer application or device control capability. However, a business will get more from its investment in protection against malware and save system and management resources if the same scanning and management infrastructure is used by the product to intercept and manage the use of legitimate software applications and devices.

Deploy only one client

Anti-malware is a necessary investment that IT administrators have no choice but to purchase, install and manage. Deploying a single client that incorporates anti-virus, anti-spyware, antiadware and control of unauthorized applications and devices will save time, money, and system resources, and improve security.

Simplify control and policy setting

Anti-malware solutions allow different policies to be set for different user groups. Being able to set policies to remove unauthorized applications and devices alongside anti-malware policies, can enhance efficiency and allow for specific needs of particular users. For example, VoIP or the use of USB keys could be blocked for office-based computers, but authorized for remote computers.

Eliminate administrative overhead

Using the same management and updating mechanisms for application and device control as for anti-malware software has obvious infrastructure and overhead benefits. However, the overall success of this combination of features, in terms of efficiency, depends on the actual way in which applications are detected. Some solutions require administrators to create their own application signatures using filenames that appear in the application, and to maintain allow or block lists. This approach is timeconsuming and IT resource-intensive. It puts the burden of updating onto the administrator and is also unreliable as users can simply change the

filename to avoid the application being detected.

A better approach is for the vendor to create and update application detection signatures in exactly the same way that malware detection is automatically updated, simplifying administration,

updating and maintenance of detection.

Reduce the support burden

By using signature-based detection that not only stops applications from being run but also blocks their download and installation, organizations reduce the time that their technical support staff have to spend sorting out computers that

have been destabilized by the installation of unauthorized applications.

Conclusion

The challenges posed by the installation and use of unauthorized applications and devices on

company computers are significant. While there are a number of solutions available that help IT

administrators to manage the problem, many require additional investment and, for many

organizations, they can be expensive, unwieldy and difficult to maintain. A better solution is one which completely integrates the blocking of unauthorized applications and devices into the existing antimalware detection and management infrastructure.

This gives IT administrators – for whom IT antimalware protection is a must have – a simple solution that removes the cost and management overhead from the equation.