You’re sitting at your desk, punching out a few keys on the keyboard, and then it happens. The moment everyone knows is possible, but always thinks it happens to someone else. Your phone rings and the person on the other end is now informing you that the company has been part of a data breach. Your company’s databases and access has been found on an underground website where this type of information is sold and traded. After hanging the phone up you say to yourself, “How?”, “What about our firewall?”, and “Our monitoring and intrusion prevention should have caught this.”. These are just some of the questions which begin to flow from you and others. All these questions are important but at this minute the only one to consider is “How?”. You need to begin Incident Response procedures and find the cause.
Patch Applications and the Systems they run on
The cause was covert, unexpected, but used by many. A 3rd party application was the open door, the way the attacker found access. When patching systems many people focus on the system itself but overlook the applications actually installed on these systems. Attackers are still using the systems, so without a doubt this is important, but the initial entrance and pivot point is hardly the system. Many times the attacker uses a form of Social-Engineering to gain the users trust, allowing the user to give access to the attacker from within the company; bypassing all the external protections put in place. This type of attack is often made easier by tools such as TrustedSec’s very own Social-Engineer Toolkit (SET) (https://www.trustedsec.com/downloads/social-engineer-toolkit/ ). When focusing on patching we all need to take a look at the applications themselves. I would like to say either the system or the applications is most important; however, I believe they are equally important. The installed applications need to be documented with versions, by system. This needs to be maintained frequently and the updates pushed out after following the “5 Common Sense Tips.”
Application attacks are a real security threat
Attacks on applications are common, and a real security threat. When the 3rd party applications are ignored as a threat or simply unmaintained you will not be able to know whether the recently exploited application is in your environment. That single application, installed just on one system, just for one project, and then forgotten about, has now opened the door and allowed an attacker to exploit your company. This exploited machine was the pivot point for attacks on every other system, in turn exploiting other applications, and finally gaining access to the databases. Now your company is being traded in the underground like stocks traded on the world’s largest stock markets. This breach has caused your company financial losses in such areas as intellectual property, reputation, and IT resources to say the least; all because 3rd party applications were overlooked in the overall security posture of the organization.
Document and Patch 3rd party applications
When developing your patching process you need to have a procedure in place for documenting 3rd party applications as well as patching them. The patch cycle for 3rd party applications are not as defined as Microsoft, so staying vigilant with these vendors is a must. A great starting point with 3rd party applications can be found at the Table of 3rd Party Patches. Also consider your patch management solution, consider whether or not it includes support for the Common Vulnerabilities and Exposures (CVE) (http://cve.mitre.org/ ) databases. Also consider becoming part of the mailing lists at the United States Computer Emergency Readiness Team (US-CERT) (http://www.us-cert.gov/) or a CERT in your region. Maybe try using resources found at the National Vulnerability Database (NVD) (http://nvd.nist.gov/ ) website.
There are many resources, but ultimately it falls back on making sure the procedure is developed and followed. Everyone will be hacked at some point, which is a given fact. The variable in the equation is to what extent are the damages and whether or not you were able to catch the attacker before got everything; otherwise you may be the next person getting that call, having no idea you even had an attacker running through your 3rd party applications.