The issue of viruses, ransomware, spyware and other forms of malware intended to cause harm, has become much more of a hot topic in recent years. However, this has not translated into a comparable increase in vigilance and due diligence when it comes to choosing software vendors and websites. Although many attacks come from vulnerabilities in software, it is far easier for malicious software to find its way into your corporate environment by allowing staff to install their own software.
Malware is becoming more sophisticated and the quantity of malicious software is increasing at a very fast pace. Technical solutions are evolving to protect against malware, but the concern voiced here is the culture of software installation and usage. When left unchecked this can easily result in harm, loss of data, loss of reputation and business. Anti-malware solutions are absolutely essential but relying on such solutions while allowing any software to be installed by anyone for any reason is a dangerous approach. An extra level of defence is needed.
- Lock down desktop permissions so that only key members of staff have the authority to install software. New software may be required but needing to involve an authorised person or team to have software installed, requires a justification to be presented so slows down the process. Whereas, if just one person is involved, software can easily be installed on a whim with very little in the way of thought about the implications.
- Have a published white list of software that is used within the business, and defined policies in place regarding how software is installed, and how new software is selected. Promote awareness of software installation policies within the business. Again, this aims to slow down the installation process or, more precisely, increases the time between an end-user deciding they need a piece of software to the software being ready to use on their desktop.
- Remove all unauthorised software. Implementation of software installation controls are often performed at a late stage in business development, and seldom implemented during any start-up period. Therefore, it is highly likely that when a requirement to enforce control of software is made within a corporate environment, it is because control has been lost.
- Identify all executables on desktops and which application they belong to and remove all other executables. This approach can be time-consuming and a more viable approach is to define a standard build for desktops which includes the operating system and all the key software applications used by most staff. Applying the standard build will remove all traces of the previous installation and any legacy unauthorised software. Combined with implementing new rules and enforcing software installation permissions, old software is cleaned up and new software is controlled.
- Don’t install software from unknown or untrusted sources. The fact is, it is extremely easy to search for software online, find any that is needed, and install the software very quickly. Websites giving away malicious software often look very professional and there are many sites that mimic known websites to capitalise on the credibility of legitimate websites.
Slowing down the process and giving time for appropriate software to be chosen and installed is essential and cannot be over-emphasised.
Information security consultant with over 20 years’ extensive experience gained across a diverse range of private and public industry sectors including insurance, banking, telecommunications, health services, charities and more, both in the UK and internationally. Graduated in 1997 with a software engineering degree and specialising in cyber security, risk analysis, compliance reporting and access management.