What to do when software goes rogue

Home Info & Security Management Risk & Audit Software

by | June 23, 2017

Rogue software can lead to a number of vulnerabilities and even cyber attacks.

Going “rogue” is often characterized as being a renegade: “no longer obedient, belonging or accepted, and hence not controllable or answerable.”

When is software rogue? In today’s fast-paced world of data, software that’s gone rogue can run the gamut from unapproved software introduced from BYOD (Bring Your Own Device) policies to an approved operating system on a server that has passed its end-of-life (EOL) or end-of-support (EOS) dates.

Why does it matter? Being rogue, the software runs unbeknownst throughout your systems, creating possible security vulnerabilities for the entire organization. The vulnerability can lead to cyberattacks, unauthorized access, security breaches and more.

BYOD Challenges

More and more employees are bringing their own personal devices to work, but many companies still don’t have formal BYOD programs or policies in place. In a recent BDNA survey study, 26.6% of those surveyed admitted their organization had no BYOD policy. Personal mobile phones are the most common, but personal laptops and tablets have become almost as common.

While enterprises that allow BYOD devices have experienced reduced IT costs and increased employee productivity, there are downsides. The most fundamental issue is that the company doesn’t own the device, and therefore has little to no control over the software deployed on the device. This opens a real potential for security risks because IT has suddenly opened the door of having to deal with a plethora of devices, configurations, applications, software versions and more.

Added to that complexity are additional exposures, such as cookies and viruses on the device that may even infiltrate the device unbeknownst to the owner, without any security checks in place. In essence, the software runs rogue within an organization through its introduction into the environment through a BYOD effort. In the same BDNA survey, respondents stated that data leaks were the biggest BYOD concern for their organization.

A personal device asset management strategy can help with challenges such as deciding which devices to support, whether to allow employees to choose and bring their own devices into work, and how to handle security vulnerabilities potentially introduced through personal devices. It also allows companies to compartmentalize personal and corporate data through the use of data containers, making the wipe of corporate data easily executed. Within discovery and asset management tools, the IT department has visibility on when, how long and how many times an application on a personal device has been used. Inventory is a core part of any strong security solution, not only because it provides visibility, but also because it can help identify software that’s gone rogue or unauthorized devices with ease.

Asset management enables a company to unify data silos and improve efficiencies across the enterprise. It reduces compliance risk and drive corporate standards. It enables a company to drive strong IT business alignment, providing better IT service management, greater transparency into IT spend and more. Companies benefit from an asset management solution because it enables them to learn, reconcile and analyze the personal device data as well.

Asset management tools are a vital component of any enterprise IT BYOD management strategy because they provide a global view of IT architecture, whether fixed or personal, and a detailed, up-to-date analysis of hardware and software assets. Automated approaches enable the more frequent checks required.

EOL Challenges  

For many organizations, IT asset management is beginning to overlap with data security processes because the looming consequences of not managing end-of-life (EOL) software are too great to ignore. In the event the software becomes obsolete, it becomes a magnet for hackers looking for vulnerabilities. In the same survey looking at BYOD trends, BDNA discovered that 51.6% of organizations do not have a process for handling EOL software. In fact, software vulnerabilities in commercial products are the biggest source of data breaches in the enterprise. Not managing end-of-life of enterprise applications has major implications on enterprise security, compliance, cost of support and the availability to maintain critical processes.

The challenge is that technology vendors don’t always diligently publish the EOL dates for all of the software they sell, leaving IT teams to their own devices. IT teams are tasked to manage their own software assets and plan their application portfolio efficiently to retire applications in a timely manner.

In one organization with more than 550,000 software installations, 56 percent of their software was found to be EOL, posing a very high security risk. More than 6,350 instances of the software installed had come to EOL more than 14 years before and included applications from Microsoft, SAP, IBM, Symantec and more.

This is where asset management tools that automatically provide visibility into the entire asset lifecycle, including EOL dates for application software, become extremely useful. Such tools go beyond providing visibility into IT networks because they are able to analyze the database and alert IT managers about what assets are end-of-life, nearing end-of-life, approved and unapproved and/or out of configuration. This increased awareness allows organizations to not only be proactive about their security needs, but also enables them to leverage their data more effectively.


Subscribe To Our Newsletter

Subscribe To Our Newsletter

ITAM Channel brings the best news and views from the ITAM industry. Sign up for the newsletter and get them straight to your inbox

You have Successfully Subscribed!