cancel
Showing results for 
Search instead for 
Did you mean: 

Needle In a Hay Stack or Sword in a Straw Pile?

Level 11

I’ve spent countless hours trying to find the perfect tool for the job. In fact, I’ve spent more hours searching at times than I have doing the work. You’ve probably done that before. I hear a lot of people are the same way. I look at it as if I’m searching for that needle in a haystack. When I find it, I’m over the moon. But what about when it comes to our end users? Do we trust them enough to locate that needle in the haystack when it comes to software that will enable them to perform their work? I'd venture to guess that in larger organizations the resounding answer is no! But why?

Elemedia Player

Let's use the media consumption application Elemedia Player as a working example. Now it's true that our end users probably won't need Elemedia Player to get their job done, but the method behind what happened here is what I'm interested in discussing.

On October 19, 2017, ESET Research reported that Elmedia Player had been briefly infected with the Proton malware strain. In fact, the developers of Elemedia Player, Eltimalater reported on their blog that they were directly distributing the compromised software from their servers. In this case, the malware is delivered via the supply chain.

Let's now put this in the perspective of our end users. Imagine that an end user shows up at work to find that their workstation doesn't have some set of software that they use at home. They feel comfortable using this software and decide to find it on the interwebs and download it themselves. They grab said software package and install it. Off to work! Another great day.

However, in this instance, they have obtained a package that's infected with malware. It's now on your network. Your day has just gone downhill fast. You'll likely spend the rest of the day restoring a machine or two, trying to figure out how far the malware has spread, and second-guessing every control you've put in place. In fact, you may not even realize that there's malware on the network initially, and it could be days or weeks before the impact is realized.

Taking it to the Enterprise

Let's move this discussion to something more fitting for the enterprise. We've already discussed online file storage services in this series, but let's revisit that a bit.

Imagine that we couple the delivery of malware packaged into an installer file along with the strong encryption that's performed by these online services and you can pretty much throw your visibility out the window. So here's the scenario. A user wants to share some files with a colleague. They grab a free Dropbox account and share some work stuff, some much, and some apps that they like, perhaps Elemedia Player with an infected installer. You can see where this is going.

My point to all of this is that we have to provide the tools and prohibit the user from finding their own or things start to go off the rails. There's no way for us to provide security for our organization if our users are running amuck on their own. They may not mean it, but it happens. In fact, this article written my Symantec discusses the very same idea. So instead of finding a needle in a haystack, we end up falling on a sword in a pile of straw.

How do you feel about these services being used by end users without IT governance? How do you handle these situations?

22 Comments

Stealth networking by employees and well-meaners and ignorant folks may cause the end of networking as we know it in the future.  I hope not.

MVP
MVP

I guess if employees have no access to install software on their computers, then that would stop the issue. Also having up to date antivirus software on their machine should also help.

The problem is when something new comes along, and the scanners aren't detecting it.

Level 14

We have an Enterprise anti-virus solution regularly updating every PC / laptop connected to the network.  We also don't allow users to install any software.  I'd like to block software downloads and access to USB ports too but that is a bit of a political nightmare here.  I've seen entire corporate networks go down because of someone installing an application that they wanted without contacting IT first.  Last time I was on site for 71 hours straight sorting out the mess.  The overtime was good though.

Level 21

A mature enterprise should both have rules regarding using only company approved software and a repository from which said software can be obtained.  Following that they should have a way to be aware or even prevent the installation of unapproved software.  Without these things you are asking for trouble.

One vulnerability is I.T. staff who have install rights, and who may install something inappropriate, out of good intentions or bad ones.

Of our 17,000 employees, only SysAdmins, Network Analysts, and End User Support Techs are in the Local Admin Group on PC's.

Needle in a haystack doesn't present a problem if you have a match

Ooo . . .  Burn down the data center and the staff to fix the problem . . .

Yikes!

Level 9

In many modern enterprises most of those employees are themselves IT professionals, which raises many questions in my mind.

Who decides what the exceptions are (if any)?

Is there sufficient rigour to ensure exceptions are appropriate and not just given to those with the most influence?

Is their appropriate separation of duties?

Can the approvers give themselves (or their buddies) access?

When approved alternatives don't exist, will those willing to break the rules simply do so?

Will they have the capability to simply work around whatever limitations you create?

If the needle and the haystack are figurative i'm sure the match is too.

MVP
MVP

Good antivirus is a must! Here most of IT (if not all) are local admins on their device. It would be a royal pain if I wasn't a local admin on my devices.

MVP
MVP

Hahaahahahaha - that's awesome!

MVP
MVP

Nice article

Like always, it comes down to "standardization, standardization, standardization". Today's IT-landscape is too complex for the regular user, maybe even an admin, to see the whole picture. Having a standardization in place limits your flexibility but you can manage your it infrastructure much better. maybe the user is not working with his/her preferred tool, however they won't cause more headache.

Level 12

This is one reason why big enterprises go for application auditing, and take away admin rights from users to prevent most (but not all) installs.

Cloud sharing has another name - data leakage.  Cloud vendors don't make auditing of shares easy or even possible. Corporate cloud might have some tools, but only blocking all access to cloud URLs will prevent users from connecting to their own personal cloud.

I also wonder how many sites never scan their open shares on the LAN with tools like Microsoft's ShareEnum  or even have a policy for data ownership?  A dozen or so years ago, LAN veterans of the Worm Wars learned how malware moved from share to share, and Microsoft gradually closed some of the holes, and set new defaults on some types of shares. But even if sharing is legit and allowed, who scans them for pirated software or possibly infected zip files?

Level 20

Infected supply chain is a HUGE concern in anything... especially anything military which might but our troops in jeopardy.  Where we buy our electronic components and who wrote our software whether commercial or open source it makes a difference.

MVP
MVP

We have multiple elements in place to help with this - none are 100%.

  • Our firewall blocks the download of executables for most users. - most users, some still have this access because of business justifications
  • We have antivirus and malware scanning on the firewall of the files that are allowed - we can only scan what we can see, if the traffic can be decrypted we do so and inspect however decryption breaks a lot of sites that just have to be allowed through
  • We have endpoint antivirus and malware scanning - nothing on the endpoint is 100% and there's always the zero-day varieties
  • Most users are not local admins - again for business reasons some are.
Level 13

Malware is going to find a way in.  Nothing is 100%. 

You said, "I’ve spent countless hours trying to find the perfect tool for the job. In fact, I’ve spent more hours searching at times than I have doing the work"

That is, perhaps, the biggest resistance to putting the effort into automation from the people who would most directly benefit from it.

Users should generally always have downloads blocked, but that also requires that you have a valid/useful software repo for people to get *authorized* applications, etc. To only do the one without the other is to invite terrible security.

Level 14

Yes, there must be a way for users to get software that isn't currently supplied by IT.  We ask them to log  ticket so that IT can check out the software first then package it and install via SCCM if the effort justifies the time or just install manually.  Anyone caught installing software without IT consent is liable to disciplinary action up to and including dismissal.  We also block downloads of install packages and executables and run enterprise anti-virus on end-points and servers.  You can only do your best.  Stuff will still get through.

Level 12

thanks for the article

MVP
MVP

The key word in this whole article (for me anyway) is governance. That word in itself is a point of contention as some see it as control, while others see it as something that needs to be worked around. In a good, healthy organization all of the affected people would work together to work out the best solutions. Users generally think they need more than they really do, management tends to think that they need less than the users actually need. That creates a friction that leads to loss of productivity and lower moral. By working together the best solutions can be obtained.

About the Author
Brandon Carroll, CCIE #23837 is the CEO of California based Global Config Technology Solutions, Inc, Tech Blogger, and Cisco Press Author. With over 15 years in IT, a few certifications, and a love for technical education you'll find him at Cisco Live, on the Packet Pushers Podcast, Twitter, and Google+.