Most of the organizations would claim that they have an enterprise class software distribution and governance system – with a well laid out criterion and process for approving the usage of software in their environment.
Yet, under the hood, it’s a different world!
For when you take a hard look you will find many unverified applications and utilities (collectively called ‘apps’) running – and up to 40 percent of which are, or suspected to be, malicious.
These Apps are Outright Dangerous
These apps can pose an incredible amount of risk to organizations. Security measures become useless when an apparent and present danger is overlooked by the organization.
These can be as bad as an inside man gone rogue.
These rogue apps typically:
- Contact command and control servers
- Provide remote access to command and control servers
- Download malicious code
- Create backdoors for other malicious code
- Create vulnerabilities by changing configurations
- Act as key-loggers
- Make changes to access control privileges
Common utilities we all tend to use without much thought
Enterprise class software is procured through vendor screening and standard evaluation processes and are less likely to be rogue. A lot of time the following apps are not classified as enterprise class software, and escape essential scrutiny:
- Backup utilities
- Shell utilities
- Calendaring utilities
- Local system scanners
- Performance optimization applications
- Download managers
- Process viewing and management apps
- Network scanners
- Window managers
- News and content managers
- Wi-Fi utilities
- Zip and compression utilities
The Fort is not as secure as you thought!
How do the RAT’s get in?
One would think that with all apps being procured and distributed through a well-governed process there is no way for these RATs to get in.
The reality is in stark contrast to this popular belief. Many apps have nothing to do with the enterprise software distribution mechanism.
Often these applications and utilities enter the environment using these channels:
- Download from external site
- USB storage
- An FTP server
The moat has been breached!
Wait, I have a DLP as well as Enterprise Content Protection!
Distribution of these apps happens through an implicit trust system, which gets repeatedly misused and sometime outright exploited. None of these apps bypass the standard processes and systems of governance, by themselves. They are allowed into the enterprise system through a trust mechanism.
Another case of misplaced trust!
Often an app would be used without any attention to its security because it has been traditionally used in the organization for a long time, with no reports of rogue actions. This is the most common trust factor which works in the organization, and you will see a lot of apps not being subjected to screening and checks.
Because “they have always been here”.
The “Politics” of Letting the RATs in
The harsh reality is that security professionals wage a continuous battle of ‘protection vs productivity’ while the threat actors wait in the sidelines.
We NEED this “Application” for “Work”!
When businesses raise the issue of productivity, immediate task completion and the always urgent deadline, the IT security group loses out on the argument to proceed via standard security governance processes.
Business will always trump “IT red tape”!
Another political battle security groups fight is procrastination in removal of a “temporary, urgent-use” app. User familiarity and ongoing use, “ask others to remove this too”, or “I need the same features” are insurmountable obstacles for most IT departments to overcome.
TINA (there is no alternative) triumphs!
What’s to be done with RATs then?
Other than having an enterprise policy for safe and secure distribution of apps using a software distribution solution, there are many steps an organization must take to ensure it stays free of RATs.
A scheduled scan of applications running across the enterprise, including endpoints and mobile points should be organized within a governance program. This should identify the unverified applications and utilities, endpoints and departments running them.
Create a stated whitelist of applications and utilities which are allowed across the enterprise. And, publish this whitelist often to all departmental heads.
Sometime a political battle can be won if you take the high road and simply publish an executive report for all the violations – which departments and users are running apps which have not been approved by the distribution process.
Other than procedures and processes, awareness makes a huge difference. Many business users do not understand security threats fully. Conduct awareness session to help them understand the damage they can cause when they use such apps.
As with real rats, prevention, traps and hygiene are your best bet against RATs!