The importance of knowing the software and components used on your network- a guest blog by Chris Carter, Information Security Analyst for the Port of Vancouver

Chris Carter, Information Security Analyst, Port of Vancouver, USA

I consider myself an enthusiast of cars from the 50,60,70s —especially station wagons and trucks of that era. I'll tell you the make, model, and year of that wagon or truck as it's driving down the road. Show that exact vehicle to an expert, however, and they will be able to site details like factory options, colors, and so on.

In my garage I have a “one-year project” that’s now going on year ten. Why year ten? I picked out a beautiful 1963 Buick Special Deluxe wagon, not understanding the vehicle’s components; an engine and transmission used in a limited two-year run, no aftermarket support for other parts. It's a vehicle in which specialty catalogs do not exist. Indeed, not a project for an enthusiast but an expert—one with a bottomless budget and fabrication skills.

Let’s shift to how this relates to cybersecurity. Do you know your software inventory or the components behind the software that run your critical business processes? Do they pose a threat? Did that developer secure these components or use best practices when developing the software, baking in security during the development process? Or will you be left later trying to establish a way to secure this software or component?

Staying up to date on Microsoft Windows updates is critical to maintain a secure environment. How are you handling the updates that may not be covered by Windows or your operating system automatically? Many web browsers or different software programs installed on your computer can have their own update processes that may or may not alert you when updates are available. Firmware such as printers, wireless/Bluetooth keyboard, or mouse also may have updates. Your Smartphone, too, has apps that require frequent updates.

The National Security Agency recently released a Cybersecurity Technical Report titled “Recommendations for Configuring Adobe Acrobat Reader DC in a Windows Environment.”[1] Adobe Acrobat Reader DC is a widely used application, likely found on most of the computers throughout your business environment, used for reading PDF documents. What stood out to me most about this report is that it is twenty-one pages long and provides twenty-five-plus changes you should make to secure a “simple” program. Again, despite this document’s length, it covers only one of the many applications you may find throughout your environment.

Let’s dig even deeper and look at the individual components of any software. The last few months have taught us that the cyber threat to this part of software is very real. “Log4J” dominated the cybersecurity news cycle at the end of 2021, as IT and Information Security professionals scrambled to find what software was using “Log4J” and where it was on the network. Unless you are a Java programmer, this likely was the first you’ve heard of Log4J. Log4J is a Java “library” that was used extensively across many applications to log events in Java applications. Libraries are used by programmers as a short cut to plug in to accomplish a specific task- “Log4J” was designed to log events.

 While IT teams scrambled upon news of the “Log4J” threat, what stood out to me more was the scrambling vendors were doing. Some didn’t have a handle on the inventory (like the “Log4J” library) the components of their software were using. Still today, with some software vendors, we see workarounds-- but not complete fixes-- to this issue. As we learned, some software vendors that we rely on to conduct daily business operations or maintain critical infrastructure processes do not understand their own component inventory, so we must have a strategy in place to protect our environments.

            Today’s threat landscape no longer allows you to wait for a monthly patch or you’ll already be behind. Vulnerabilities happen quickly, and “proof-of-concept” hacks are finding their way to the internet sometimes the same day the vulnerability is announced. Establishing an extensive software inventory program coupled with a vulnerability management program to identify these issues is critical in securing your environment. When procuring new software, require a software “bill of materials” as part of the contract, and quickly recognize if you have a vulnerable piece of software or component within your environment. We can no longer be mere “enthusiasts” but must become “experts” and understand the details behind what is running on the computers within the environment. You can’t protect what you don’t know you have.  

Finally, if anyone wants to buy the 1963 Buick Special deluxe wagon project, I’ll gladly entertain offers.

[1] Recommendations for Configuring Adobe Acrobat Reader DC in a Windows Environment

National Security Agency – January 20, 2022

https://media.defense.gov/2022/Jan/20/2002924940/-1/-1/0/CTR_CONFIGURING_ADOBE_ACROBAT_READER_20220120.PDF