In my last post, I graphed the introduction of software onto a new system. In this post, I'll graph the risk that that software poses to an environment.
By introducing an unapproved application, end users seldom realize the risk that change could have to the network. For example, a single user introducing an alternate web browser onto their computer might have a risk profile that looks like the graph below. By itself, a single application on a single computer does not pose a huge threat to the network (unless of course that application is malicious in nature, but we will assume for now it is not).
(You can download a larger version here: http://bit.ly/aXBFnE )
Over time, there may be patches or updates that need to be applied to the application, and because the end user is likely the only one who knows about this application, it is up to them to be responsible for applying these patches or updates. In an attempt to address the lack of central patching and upgrading, many products now come with self-updating functionality that will either check at runtime or on a set schedule for these files. Unfortunately, most end users are neither aware of the importance or the urgency with which some of these patches need to be applied. Therefore, updates get postponed, versions get skipped, and vulnerable applications grow within the network.
Now the graph will move up the risk scale a bit because there is little control over this unknown web browser and there is a level of uncertainty about its patch level. Depending upon the application that has been installed, the responsiveness of the publisher, and the timeliness of the patches can also bump up the risk level. For example, Secunia reports that Firefox, a very common alternate browser, had to release patches for 115 vulnerabilities in 2008 (source: http://bit.ly/cFAA4z ). Comparatively, Internet Explorer, which IT has a fairly good grasp over patching, suffered from 31 in 2008.
(You can download a larger version here: http://bit.ly/biXqpK )
This issue is only compounded by the fact that not only will users install an alternate web browser, but also install games, toolbars, media players, peer-to-peer tools, and a plethora of other programs either intentionally or unintentionally.
This final graph shows the compound level of risk that multiple machines introduce when they all have unwanted programs added to them. It is very easy to see why unauthorized software is almost more of a concern these days than malicious software.
(You can download a larger version here: http://bit.ly/ddF79Q )
All of these programs expose an organization to increased support costs as unwanted programs conflict with business-related applications, increase re-imaging costs as the easiest and most effective way to eliminate this software from an end user’s computer is to start from scratch, and increases the risk that a computer will be compromised with an attack on a vulnerable application.
Coupled with strong written policies, it is understandable why many organizations are turning towards methods that can apply tighter control around what software end users are able to introduce onto their systems. Without a reasonable mechanism for attempting to inventory and patch unauthorized software, the best approach for IT is to prevent the introduction of these applications in the first place.