Lately, there has been a lot of commotion around Java vulnerabilities. Late last month, security researchers discovered zero-day java vulnerabilities being actively exploited in the wild. Shortly after, a group of researchers reported that they had informed the vendor (Oracle) on the existence of such vulnerabilities in Java back in April. As a result, Oracle was essentially forced to release an out of cycle emergency patch, something the database giant rarely does. I would like to discuss some key lessons learned from this most recent Java incident.
Protect data and not end points
The exploits of the recently discovered Java vulnerabilities puts the compromised insider threat in the spotlight again. While this threat was initially demonstrated in the narrow context of APT attacks (Stuxnet, Flame, Doqu and Gauss) as a targeted effort launched by state sponsored actors, it raised the awareness to this type of threat on a wider scope. Our experience shows that many of the commercial malware operations share the same type of infrastructure complexity that Stuxnet was based on. We recently tracked down a single malware instance that was tied to 40 different command and control servers. The list was initially small but was updated on a daily basis. These attacks taught us about the potential damage that can be the result of an infected machine operated within our “secure perimeter”, but many organizations have been responding to the threat the wrong way. Trying to close the perimeter even tighter or regain control of end-user devices (while BYOD is clearly winning the stage) is the wrong way to respond.
The lesson that I have seen too few organizations learn from such attacks, is that protection should be around data rather than around devices. Closely monitoring and controlling data at the source is one part of the solution. Looking for abusive access patterns to data or patterns that reflect the behavior of an outsider within our perimeter is the answer.
Patching right away might be dangerous
As I discussed in my previous column, patching the vulnerability right away with a vendor supplied “hot-fix”, may not be the best security policy. Java users’ learned that lesson again, when the security update provided by Oracle had covered some known issues, but opened some new opportunities for the attackers.
We can only imagine the reaction of system administrators, going through all the trouble of installing the patch across many devices, just to find out, that now the updated devices are even more exposed to attacks, as the new vulnerability is not recognized by antivirus solutions yet. And the really sad part is that they will probably need to go through the same agonizing and possibly futile update process, again, with a new patch to address the new vulnerabilities.
Beware of low genetic diversity
In nature, having a genetic diversity is a key for the survival of the specie. When such does not exist, the specie is exposed to extinction due to a single disease. A prominent example is Ireland’s 19th century “Great famine” caused by the potato blight. The famine had some grave consequences on Ireland population, as during the famine approximately 1 million people died and a million more emigrated from Ireland, causing the island’s population to fall by more than 20%.
In software, there are several areas suffering for a “shallow gene pool”. Attackers are actively targeting these areas, as a successful attack on them can lead to massive exploitation. Microsoft’s Internet explorer used to be such when it ruled the Web browser world, but now as new players have emerged (Google’s Chome and Firefox) and the browser market is mostly shared between a handful of browsers, the damage to Internet users from a single browser exploit has largely subsided.
As a result, hackers have shown a greater interest in some more ubiquitous browsing related components, such as Adobe’s Flash and Oracle’s Java. The Java case is even more serious than Flash, as it serves as a critical component in many business related software products and thus cannot be disabled without damaging the business continuity.