Current IT Risks and Their Consequences for SAM

The WannaCry attacks are already producing a dramatic ripple effect. For instance there have been calls for a mandatory requirement to report security vulnerabilities, as well as for greater responsibility on the vendor side. Our expert Maximilian Hoppe discusses the latest buzzwords among IT risks and how they impact Software Asset Management (SAM).

An article by Maximilian Hoppe , SAM Consultant at COMPAREX

Maximilian Hoppe, SAM Consultant COMPAREX

Maximilian Hoppe

“We need a reporting obligation for security gaps, and it must also include state security authorities.” stated Telekom CEO Timotheus Höttges in reaction to the global WannaCry attacks. He demanded a renouncement of mutual cyber-attacks and cyber-pioneering, like there are international renouncements of certain weapons. This position is also politically represented by the DT Group, for example with a keynote by board member Claudia Nemat at the last meeting of the G20 Digital Ministers in Düsseldorf or the reorientation of the Telekom Security business unit. To dive into the whole development of the discussion would definitely go too far.

Current IT risks: Everyone should be familiar with these buzzwords

Security vulnerabilities pose an immense risk to the public and private sectors alike. Attacks on hospitals demonstrate this fact as much as the smallest hack on individual PCs in multinational corporations.

The number of potential risks is staggering in this regard. Anyone involved with current IT risks will come across a stack of buzzwords:

Zero day exploits

Zero day exploits is one of the terms that has acquired a certain prominence, in recent years especially. It describes a risk that has existed from the software’s very first day without being patched. For instance, this issue became clear on Microsoft’s Patch Day in August 2017 due to a missing update for Server Message Block  (SMB). Originally, the issue had become widely known in the wake of the Heartbleed Bug in 2014.

SQL injection

It’s not just Microsoft that has problems with patches. The fact that vendors are not always facing challenges due to same vulnerabilities merely compounds the issue. SAP recently patched 3 vulnerabilities in its CRM system , which were assessed as particularly critical. An attack on these vulnerabilities is truly fatal, given that the database is usually only active in the background and is viewed accordingly, although it contains highly sensitive data. Manipulated queries are used to identify vulnerabilities and locate inadequately filtered parameters on websites.

Distributed denial-of-service

A distributed denial-of-service attack aims to achieve precisely what its name suggests: to crash a website’s services. This is generally caused by accessing the site from a huge number of computers and performing such an inordinate number of operations that the targeted servers are unable to process them all. The example of security expert and blogger Brian Krebs shows how dramatic the consequences can be. Despite support, his website was brought to its knees under the weight of queries in an estimated range of 600 to 700 gigabits per second. The risk is growing exponentially due to the increasing prevalence of the Internet of Things, as even an Internet-ready fridge can act as a bot.

Local exploits

The human risk is a hot topic in any security seminar. Whether it is executable macros or bad links, individual users can quickly place an entire company network at risk.

What do IT risks mean for Software Asset Management?

Software Asset Management, SAM for short, affects many areas of an enterprise, so it is imperative to keep a close eye on developments. The latest statements by BSI President Schönbohm that greater responsibility should be placed on the manufacturers raise a large number of issues. For instance how the update processes will change in future and in what way companies can adapt to the new scenario.

Microsoft’s Current Branch for Business Model  shows the vendors’ preferred path in particular. After all, patch day events are both benefits and curses for them. On the one hand, the systems they offer need to be as secure as possible, but on the other hand they are reluctant to force major users in particular to accept permanent update processes. Last but not least, patch development itself binds internal resources. But proprietary vendors remain responsible for patching known vulnerabilities to avoid becoming liable toward their customers.

How will vendors satisfy their duty to patch vulnerabilities?

Mainly by outsourcing. It is already standard practice to remunerate the identification of bugs and vulnerabilities. Microsoft, for instance, recently established a suitable scheme for its most recent operating system Windows 10. The vendors attempt to provide support in other ways as well. Microsoft has released a self-assessment tool for adherence to the European General Data Protection Regulation  (GDPR), which is intended to ensure GDPR compliance in the cloud especially.

Prevention thanks to Software Portfolio Management

Companies need to take the initiative as well by at least ensuring that all security patches released by the software vendors are installed ASAP. But that can only happen if the companies are aware of their status quo: what software is even installed? Which critical patches are missing?

The next step is to decide when tighter restrictions are placed on potentially risky products in regard to their support. By conducting reevaluations more frequently than for standard products? Is it possible to put unsupported software on a blacklist without any further ado, and if so, how will this affect the productive side?

The Portfolio Management Platform by COMPAREX offers you precisely the information you need:

  • Identify software for which vendor support has expired.
  • Track down and delete “illegally” installed software such as apps and games.
  • Make sure your patch level is shown automatically and compare it with the newly available releases.

Our experts will help you to draw the right conclusions from the available information.

Learn all about the COMPAREX Portfolio Management Platform

Or would you like an individual consultation? Our experts will gladly answer your questions in a personal discussion.

 Get in touch with us

Leipzig, 25.10.2017

Stay Up-to-date

For regular updates and articles from COMPAREX, click below to follow us:

 Follow us on LinkedIn

Related articles

What's the integral Part of Any Good SAM Stratgey?

Do I need Software Portfolio Management? Yes! Discover why Software Portfolio Management can be the basis for long-term value creation. Read the full article ...

How SAM can increase your IT Security

Cyber attacks are becoming ever more elaborate. There is no such thing as a complete protection. But the good news is that Software Asset Management can considerably increase your IT security. Maximilian Hoppe explains how it works.  Read the full article ...

Leave a Comment

Do you have a question or remark on this article you want to share with us?
 Post it here.

Archive

Get an overview of all published blog articles of the past months.

 Read more

Share this Article