Application Management with the Death of Adobe Flash
Risk & Security

Adobe Flash Is Dead. But Other Insecure Apps Are Out There Waiting to Cause Mayhem.

Here's what you need to know to monitor, patch and keep those apps up to date throughout their lifecycle, including their natural end of life.

In the end, death came fast. On January 1, 2021, the makers of Adobe Flash, which had once been the ubiquitous go-to media player on desktops, notebooks, and other endpoints, ended their support of the buggy software after its more than two-decade run. 

During much of its reign, Flash was plagued with serious security flaws. But that didn’t stop many companies from using the easy-to-deploy application. 

That’s because web developers had found Flash simple for creating attractive user interfaces and for incorporating multimedia videos on their corporate sites. So much so that they brushed off Adobe’s warnings and kept the app running — across as many as 1 billion endpoints at the height of its usage.

To people like Bill Pelletier, the reluctance of enterprise teams to balance the convenience of apps like Flash with good security decisions can be costly. As a security architect at a national insurance company in the 2010s, he warned his firm against using Flash to collect user data and provide price quotes on users’ browsers. No one listened. “Suddenly, migrating away from Flash ended up becoming a $1 million effort over the course of several years,” Pelletier says.

Suddenly [for us], migrating away from Flash ended up becoming a $1 million effort over the course of several years.
Bill Pelletier, security architect

Today, Pelletier says companies need to hear that lesson because there are hundreds, if not thousands, of applications and bits of applications running across the world’s enterprises that pose similar security risks. He adds that the risk/reward of choosing applications needs to be carefully balanced, and that they need to be monitored, patched and kept up to date throughout their lifecycle, including their natural end of life.

When applications go unpatched and unmaintained, they can often be exploited remotely as long as an enterprise uses them. Companies that merge with or acquire other companies without fully understanding the tech stack they are inheriting often suffer the most from the lack of ability to assess and patch.

As much of today’s workforce works remotely, the risks are even higher. “We no longer work within the protections of a corporate network firewall,” says Pelletier. “We’re now sitting in home offices, on couches, and plugged into our home office cable modems or using public Wi-Fi while traveling.”

While effective endpoint security won’t be achieved in a “flash,” experts say security teams should adhere to these five basic security strategies.

Train workers to be security savvy

The first line of defense is the people behind the endpoints, the laptops, PCs, tablets and other devices that organizations have deployed them with to conduct their work remotely. Security teams along with HR must effectively train workers to be wary of clicking on enticing phishing emails or from installing rogue or risky applications. “Security awareness training is indispensable,” says Ken Swick, senior security consultant at Manchester, England-based security services provider NCC Group. “Awareness training helps to make sure that users do not introduce that bad stuff. It also can make users aware of the dangers of storing sensitive information on their endpoints.”

A robust security awareness and training program should start with a dedicated training manager who can explain complex subject matter and drive employee engagement, not overload workers with security fatigue. That often means avoiding the type of security lecturing many companies engage in and turning instead to gamified security training and interactive videos that include workers in the security process and keep them engaged.

[Read also: How to turn remote workers into security advocates]

This training needs to be repeated and needs to focus on changing long-term behaviors. One 2020 study conducted by Forrester Consulting for email and data security company Mimecast found that security education alone doesn’t help. Despite receiving security awareness training, a third of the survey respondents, on average, admitted to bypassing security policies, showing that cyber behavior itself needs to change.

Improve IT visibility

Being able to stop a breach is better than having to detect a breach. This makes good endpoint management essential. According to a 2020 Tanium survey of 750 IT decision-makers, 94% of CIOs have discovered endpoints within their environment that they were unaware of, thus clouding their ability to reduce potential security risks associated with those endpoints.

Business-technology teams need to know which devices workers are using, where those devices reside, which applications they are running, and which types of data they process and contain. “Having good information about the endpoints in use is essential,” says Fernando Montenegro, a security analyst at the market research firm S&P Global Market Intelligence.

Bill Pelletier adds that device management needs to be on every organization’s action list, if it isn’t already. “You need to have the ability to manage all of these devices regardless of where they are located so that you can do all of the hygiene you need to do to help stay secure,” he says. 

Practice IT hygiene

The best way to keep attackers out of endpoints is to close as many entryways as possible. IT teams can do this through configuration management, policy enforcement and effective patching. “Good hygiene means keeping things patched,” says Pelletier. “That means reducing your reliance on out-of-date components like Java.” He asks, “Why do you need Java 1.41 on your device?”

In addition to installing the latest patches to keep attackers and malware at bay, it’s also vital to continuously enforce proper device configuration policy, such as identifying rogue apps. “Having the ability to ensure that only authorized software is installed and properly configured on the endpoint is an important control for consistency, legality, and support,” says Swick.

Ensure accurate telemetry

IT teams must understand each device’s business context. This includes the device owner’s role and the types of actions the user conducts, which would be largely based on telemetry — the automated data and communications about the systems running on an endpoint. That in turn helps ensure that the proper defenses and security policies are in place. For a CFO’s endpoint, the security would include those same monitoring of network traffic flow, cloud, and endpoint processes, as well as additional monitoring. This could include the monitoring of application behavior of financial systems that the CFO would access.

[Download: Mind the Endpoint Visibility Gap]

“We’re seeing how valuable endpoint telemetry is for figuring out what’s going on in the world. It’s well beyond determining whether or not the VPN is being used on the device,” says Montenegro. “It’s more about understanding the state of the device and how it’s being used. That includes telemetry from the email systems, from the identity and access management systems, or contextual business information so that better security decisions can be made.”

Improve endpoint incident response

Eventually, every organization suffers an endpoint breach, whether it’s due to vulnerable software or from a staff member clicking a link in a phishing email. Bad security, including endpoint security, is costly. According to the 2020 Cost of a Data Breach Report, with research provided by the Ponemon Institute and published by IBM Security, globally the average cost of a data breach was $3.86 million. The average time to spot or contain a breach: 280 days.

While many aspects of endpoint security have remained the same over the years, the complexity and the scale of the problem have continued to increase. “The skills enterprises need now are the ability to respond at scale because enterprises are now dealing with the challenge of tens of thousands or hundreds of thousands of devices,” says Montenegro.

Incident response is also crucial for regulatory compliance, a concern that ultimately torpedoed Flash at the insurance company where Bill Pelletier worked. “They [the web development team] wanted to run payment information through Flash, and we essentially told them it wasn’t going to happen,” he says.

Yet Flash initially did happen because it worked, and it was so easy to use. And that’s the same battle security professionals have to fight and manage every day across all the endpoints in their business if they want to keep them secure. 

 

George V. Hulme
George V. Hulme is an information security and business technology writer. He is a former senior editor at InformationWeek magazine, where he covered the IT security and homeland security beats. His work has appeared in CSO Online, Computerworld and Network Computing.