Up to this point, we have logged all the file and registry changes, and sorted through these changes to determine that the changes made by installing the software is a low risk to our secure machine. The next step, Research the product. As I think about it, this actually should be the first step.
Vendor Documentation, read through the documentation in order to get an understanding of what the software does and how it does it. I usually look for technical details, such as the ports and protocols the software uses. Note read through the user agreement, I have seen many times where it says if you install this software it gives us the right to collect information on your system or this software will phone home every so often.
An example is from the Google Earth license:
The Software may communicate with Google servers from time to time to check for available updates to the Software, such as bug fixes, patches, enhanced functions, missing plug-ins and new versions (collectively, "Updates"). By installing the Software, you agree to automatically request and receive Updates.Your security policy might state not to allow automatic updates, so you would not allow this software.
Also you need to know the type of data that the software processes and ensure that data is protected. For example if you are working with health care data and the software has an internal database, then you need to ensure the software protects according to HIPAA policy by encrypting the data and only allowing authorized access. Vendor documentation usually states the safeguards, if not contact someone at the company and ask them.
Next a vulnerability check, check the software for known vulnerabilities and issues through the use of online vulnerability databases. You can quickly search for information regarding the security of the product on the following sites:
- National Vulnerability Database: U.S. government repository of standards based vulnerability management data- SecurityFocus: vendor-neutral site that provides objective, timely and comprehensive security information to all members of the security community, from end users, security hobbyists and network administrators to security consultants, IT Managers, CIOs and CSOs
- milw0rm:site promotes open source security by posting exploits found in popular programs
By searching these sites will give you an understanding of the vulnerabilities and problems with the software, and usually mitigation techniques.
Example if we search the National Vulnerability Database for Google Earth we get (I really don't mean to pick on Google its just an easy example):
Which basically says by introducing a bad mapping file you can cause a buffer overflow in the application. Now we know buffer overflows are possible through mapping files, to mitigate the risk, we would enact policy to state that users can only connect to a specific mapping server (Google Earth server) or only to trusted servers. Vulnerability websites can be very useful for determining the amount of risk brought to the network and to the secure computer. If you can't find anything on those sites try Google.
Do your research, if you want to introduce new software to your secure configuration, then you need to ensure all the homework has been done. As I said above I would actually perform this step first, you might be able to rule out installing software just based on the vulnerabilities found. If everything turns out good, then I highly suggest having an configuration/checklist guide for the software. Happy researching.
1 comments:
Post a Comment