Tech Horror Stories: How Unchecked Software Installs Could Cost You Big Business
I'm Max Clark. I'm gonna share a horror story with you. It happened to a friend of mine. So I'm gonna be very careful not to get into too many details here and you'll understand why. So I was talking with this friend and I don't even know how we got on this subject, but he just kinda like trade notes of just crazy stuff that's that's happened to us in business.
Speaker 1:And for whatever reason while this conversation is going on, they opened an email up and that email was a letter from an attorney representing a software company and the letter basically said we've caught you. We know that you've pirated our software. We know it's got this much of our software and you owe us this much money was significant. We owe you owe us this much money or we're gonna do horrible things to you. Write us a check right now.
Speaker 1:Let's send us the money you owe us. I mean, it was just like this look of defeat. And the first thing was like, I don't even know what the software is, what we're doing with it if it exists. Like, I don't know. What is this stuff?
Speaker 1:Right? And this is not they're running a they're not IT people. They have IT as a byproduct of having a business which is the same for everything. It was like, I don't even what is this stuff? And are we using it?
Speaker 1:What to do here? And just this absolute look of defeat. Now I'm not change gears here at this point. We'll start talking about what actually has has occurred and what occurs in a lot of companies, what happens. And so the first thing is there are organizations and software companies subscribe to the biggest one is probably the BSA, the Business Software Alliance.
Speaker 1:And these organizations exist to audit companies for compliance and software. Now as more and more software has moved into some sort of subscription license model where you have to have an activation key that then checks in and validates a subscription real time, these things have changed, but in the good old days of just having, like, a license key enablement or being able to license your Microsoft Windows NT 4 o server and just type in, yes, I have 999,000 licenses. We all talk about this as being one of the reasons why Microsoft might have been successful over Novell because Novell, you had to have a floppy disk, but you put into a server thing that was connected to the MAC address of the network card, and it was very hard to fake your licenses with Novell servers network servers. Okay. So anyways, so this is a byproduct of a couple of things.
Speaker 1:Industry kinda calls this you hear, like, shadow IT as a term that's used a lot. Shadow IT is just really when you have IT related decisions being made outside of an IT department or IT control. Right? So, we're gonna run X software. We're gonna install Slack.
Speaker 1:We're gonna use Figma. We're gonna use we're gonna download and install Adobe. We've got a corporate credit card. We're just gonna install this stuff. Then all of a sudden, at some point, you turn around, you realize, like, holy smokes.
Speaker 1:We've got stuff out there that we didn't know existed that we have to support or that maybe has vulnerabilities that we weren't paying attention to. And now what do we do about it? Of course, in this earlier example, the other scenario, the nightmare scenario is this whoops. People were just downloading and installing software in a way that they shouldn't have been doing. Now it's kinda cost us a ton of money.
Speaker 1:So what do you do about this? A lot of these things are not really hard to deal with. Probably the first and foremost thing is is are you allowing your employees to install software on your computers? And should you be? Now from a general risk standpoint, I'd argue that you probably should be.
Speaker 1:You can eliminate a lot of security threat vectors and risk vectors by just not allowing people to install software. If a application can't run as admin in a lazy way, it cannot do things as admin in a lazy way. Right? Now there's more nuance to it than that, but that's a simple example. So hopefully you get it.
Speaker 1:Now there's a lot of different ways of managing this, and this becomes one of those you need to make decisions of how you wanna manage this. You can manage this through user account policies when you create and set up desktops. Right? Instead of giving people a sign in to the desktop with a administrative access, you create a user account for them, and they don't have administrative rights. And then do you have your yourself or your IT person has to walk around and log into every single computer and provide updates or do install software?
Speaker 1:It's kinda like the old medieval dark ages way of doing it. You probably don't don't wanna do it this way. More modern versions of this would be to use what used to be called an MDM, sort of mobile device management. Now it's called universal endpoint management. By the way, all these acronyms have like 4 versions of acronyms.
Speaker 1:So if I'm using a wrong acronym, that's because a change since I learned it. Anyways, tell me I'm wrong. So what MDMN does for you is you enable and you enroll the device. Usually, when the device turns on for the first time, the device goes through an enrollment process, And then you have remote centralized administrative control over that device, including what software gets installed, what things the device can and cannot do, disabling USB ports. Also, a really good idea to disable your USB ports on devices.
Speaker 1:That way people can't exfiltrate data off of your systems via USB, or they can't plug in random USB devices they found in the parking lot. Those still happen all the time, even though it's basic training for cybersecurity awareness. So don't just randomly plug USB drives in. Chain of custody for USB devices is really important to the point where, like, I don't even trust USB devices I buy in stores anymore. I mean, it it makes me nervous to plug them in because I've been through this so many times.
Speaker 1:It's kinda becoming this really weird thing where I'm just paralyzed about USB drives. Anyways, so your MDM and your UEM can be used to configure the device to create accounts to set device policies and your your MDM and UEM can also keep track of, in some cases, asset management of what's been installed in devices. So for some reason, you've given people the ability to install software. You can see what was installed. So that is one approach of managing.
Speaker 1:By the way, UEM and MDM, I'll just start saying, UEM is a great thing for you. It enables you to massively scale the amount of endpoints that some of your IT team can manage. And so your endpoint to FTE ratio, goes through the roof. So when I started in IT, we were looking at ratios of, like, 50, 60, to 1. So 50 to 60 users to 1 admin.
Speaker 1:And with good solutions, 150 to 200 to 1, I think, is pretty normal at this point. So your mileage may vary. So MDM, you can do with MDM. Vulnerability management. So vulnerability management, v m d r is an acronym you'll see you'll see.
Speaker 1:Usually, an agent that gets loaded onto the computer. A lot of times, you're using a human to deploy your vulnerability management software. And vulnerability management's awesome because it'll give you an inventory of what's running where and what versions it's running. And do you have theoretical risk with that software? Or do you have actually demonstrated risk with that software?
Speaker 1:So, you know, there's a difference between, hey, this software is vulnerable if you have a local root access to a machine, and then you can do these commands versus, hey, Log 4 j, you're host. Do do something about it right now. And, oh, by the way, every single version of Log 4 j is vulnerable. So vulnerability management is great because it'll show you when software is being installed, and it'll show you changes in your asset man in your inventory. It'll change it to your asset.
Speaker 1:So that's a different way of seeing that. Now vulnerability management won't necessarily give you the ability to uninstall it or to change it, but it'll show it when it pops up. So that's pretty good. EDR EDR will show you when things change on the device. So you can set EDR policies.
Speaker 1:A lot of these lines are getting really spongy too because functionality changes. Like, do you wanna disable USB ports? Is that something that EDR should do for you? Is that something that MDM does for you? Is that something that you're doing with group policies or admin policies?
Speaker 1:So these techniques kinda overlap. So EDRs let's see what else. If you're using a secure web gateway, especially if you're using so SASE. So if you have a SASE platform or and that SASE platform includes, which it should, a secure web gateway, platform includes which it should a secure web gateway or CASB or DLP functionality usually kind of again, lanes are getting blurry here. A lot of times those platforms again will show you what software is running and phoning home against your fleet of devices.
Speaker 1:So if you have software that pops up that is not supposed to be there you can block it in the Sassy platform. You can figure out where it's running who's who's running it who installed it what was going on with it and again with policies with Sassy software and DLP systems, you can get into whether or not you want to block the ability to download executables in the first place off of a platform, which is interesting. Right? So, no, you cannot download the installer package because it's blocked by this policy. So which one of these approaches you use really is situationally dependent on how big you are, where you are, how mature your IT practice is, and what you should do, and what steps, and what you're trying to achieve, and if you have other compliancy issues that you need to keep track of or deal.
Speaker 1:Now what I will tell you is a lot of the stuff becomes kinda table stakes ish things. Right? I personally believe that Sassy should be everywhere. Purchasing hardware firewalls and employing them into offices is 2,008. There are so many advantages to having a cloud federated firewall.
Speaker 1:I'm just using the buzzword here. But to have something that is you are not mean responsible for updating and can be updated in real time, and that can actually apply very large datasets and machine learning algorithms against to find patterns and and to protect you. Right? So having a firewall that does some sort of IDS, IPS, or deep packet inspection or UTM on the firewall, you're limited to the processing power and updates that firewall has when you go that's delivered via the cloud. If you have something that's cloud based, you're not maintaining that.
Speaker 1:Your service provider is maintaining that, and that stuff is being updated very quick. Okay. So back to table stakes. If you're not running an MDM or even platform, just get one. Microsoft Intune.
Speaker 1:If you're running Office 365, it's gonna be great. If you're running Chrome OS, upgrade to Chrome Enterprise and get get their platform. If you're running Macs, there's lots of options out there. Jamf is probably the most common that I see. Moseley is popular.
Speaker 1:I mean, you can get into these unified systems like AirWatch or Master 60. I mean, it doesn't really matter. Notice that I'm not, like, really, like, oh, you have to run this platform. Otherwise, you're gonna be doomed. The point is just get the functionality and get it running and get it deployed and then set policy with it that makes sense for you.
Speaker 1:So now what I told my friend was was basically this. Tell your IT team, in this case, they had a service provider that they were contracting with an MSP, to deploy an MDM and to prevent this from happening to you again in the future. Not a lot of change has to take place. I think there's fear that comes across of, like, what's gonna happen as a result, and are we gonna piss our employees off, and are they not gonna be able to work? And the answer is is when you're a small company, let's say you're a really small SMB, you're, by definition, an SMB, you're 20 people, and somebody installs a $1,000 software package on 15 of your computers, and then you pay penalties on top of that, and then you've got enforcement fees and everything else.
Speaker 1:Right? Do you really want to give people the ability to cost you $50,000 out of, like, the thin air. I mean, like, literally, you just opened your email up one day and you find out that you've got a demand for 50 k. And that number multiplies with scale. So 20 people.
Speaker 1:Now imagine that being 200 people. And for some reason, people have deployed some software package that you don't even need. It was just like, oh, we installed this everywhere just because. Right? And we put it on a 150 computers at a $1,000 a pop.
Speaker 1:Right? This goes from being a non issue to an existential crisis really quickly. So from the business hat side of things, don't allow USB access. It's it's not worth it. Nothing good will come of it.
Speaker 1:You've got a platform to share files with. I guarantee it. Right? Google Drive, OneDrive and SharePoint, Dropbox, Box, whatever you're using, it can share files just fine. You don't need USB drives.
Speaker 1:And the overwhelming majority of your employees do not need to install their own software or manage their own software and have admin access to their machines, and you should not give it to them because the multitude of bad things that can happen to you versus the slim lines of good things are so, anyways, just doesn't matter. I'm Max Clark. I hope this helps. If you have any questions, clarifications, or just tell me I'm wrong, comment below and we'll respond.
