patch shadow appsIf you use Microsoft products, you know that every month you’re going to get a nice list of patches for your systems. What many don’t realize is that Microsoft is not the only vendor pushing out fixes for their products. Our monthly third-party updates will give you an idea of what admins need to look out for.

However, it’s not Microsoft’s patches or those from other well-known vendors you need to be worried about. It is the software you don’t know you have, so called Shadow Apps, which is the real worry. These are bits of software that your end users install themselves, creating a massive security exposure. Failure to patch these apps means failure to secure your network.

All IT admins understand the need to patch, and the first step is to discover what apps are on your network. Asset and inventory management, or network and application discovery, can tell you what you have. Then, an automated patching tool, similar to GFI LanGuard, that embraces multiple platforms and applications is a must.

Many Shadow Apps are good old-fashioned hard drive-based programs which your patching tool, if you have one, should be able to accommodate. This approach will not just secure Shadow Apps, but vulnerable utility-style software such as Java, Adobe Flash and Reader, and iTunes as well (we are just scratching the surface here).

Block and tackle

You don’t have to patch what you don’t have installed is the theory behind monitoring and blocking applications. There is no rule that says end users can run any software they want (and this is where an IT policy is indispensable).  Not only are unauthorized apps a potential productivity drain, but they can create a security risk.

One easy way to block some of these apps is to never allow end users to have admin privileges on their PC. While not a complete solution, it is a first step in the right direction. Asset or inventory management, meanwhile, can discover these rogue apps and you can take steps to remove them if it is warranted.

The problem with web apps

Web apps can be the most vexing of the Shadow Apps, as they are so easy to activate and hard to discover.  Many don’t need as much patching, but others do. However, web apps constitute another big risk which is data leakage apart from the usual attack vector.

Applications operate at what is called Layer 7 of the OSI stack, which is the highest of all the network layers. Most network security tools such as firewalls operate at lower layers of the network, oblivious to the dangers posed by web apps. Fortunately, some tools such as GFI WebMonitor can address these Layer 7 issues.

Key examples of Shadow IT apps are Google Apps, DropBox, Box and other shared storage file and sync apps, all of which are particularly prone to data leakage.

Compromised apps are another danger. For instance, remote code execution attacks mean a hacker can run their malicious software on your machines. These attacks could be denial of service and elevation of privilege, and all manner of malware.

One of the most common attacks is SQL injection. HP did a study where it scanned web apps, and found that 69% had been hit by SQL injection. Meanwhile 42% had been hit by cross-site scripting attacks.

Even CERN has Shadow Apps problems

Patching is a clear web apps issue identified by CERN, the European Organization for Nuclear Research. Part of the problem is that core apps are tended to by their vendors. Microsoft, as mentioned, has Patch Tuesday and automated ways to patch clients. Other third party software vendors such as Oracle are also aggressive in releasing patches to customers. Unfortunately most web apps don’t come with automated ways to keep them up to date and patched, and even when patches are available, end users all too often ignore them.

The problem is only getting worse, and goes well beyond Shadow Apps and web apps. Device overload is another culprit. In a CERN Bulletin piece, Stefan Lueders, who works within the Computer Security Team, laments the difficulty in keeping his myriad devices secure.

“Given the number of devices, how could anyone expect me to spend all of “Patch Tuesday” – the day each month when Microsoft publishes its newest updates – running around and keeping all our operating systems, firmware and applications up to date? I am already fed up with keeping my iPhone and its apps up-to-date – every second day, so it seems, I am forced to apply new updates to some apps… How would this scale up to a cacophony of devices at home? In short: it doesn’t, and it also doesn’t work well in a large computer centre like CERN’s,”Lueders wrote.

The answer is an all new approach to patching. “We need a change of paradigm. Enter: ‘Agility’. In the near future, I expect security updates to sneak into my devices clandestinely (if I opt in) in order to keep them up to date and provide protection against exploitation.”

Patching must become “agile” says Lueders. In a perfect future for him, all updates would be automatically pushed and applied to all devices. Apple have already started updating their apps in this way if a user decided to enable this feature and it surely does make life easier but when you’re talking about businesses a certain amount of care needs to be taken. As we have seen in the past months, Microsoft’s Patch Tuesdays brought with them quite a few problems. To this day many IT admins like to first test a patch on one system and then deploy it to the rest of the network.

Lueders’ future is one wanted by many, but until all patches come out without any adverse effects this future might be a long way coming. Until then IT admins have tools such as GFI LanGuard that can take many of their patching woes away.

To learn more about GFI LanGuard and how it can help you tackle the problem of Shadow Apps, visit our website. Or else, grab yourself a FREE 30-day trial by clicking here.


Get your free 30-day GFI LanGuard trial

Get immediate results. Identify where you’re vulnerable with your first scan on your first day of a 30-day trial. Take the necessary steps to fix all issues.