Thank you, both for your responses. It helps provide me with some guidance about how to best secure our devices while balancing the scope of our vendor repository.
Original Message:
Sent: 07-07-2023 12:04 PM
From: Larry Timmins
Subject: Assessing Free Online Tools, Browser extensions, and Software Add-ons
Hi Stephen,
Hilary answered on the policies.
Sorry if this doesn't address your question directly. Overall, be sure your Acceptable Use policy states what is allowed and what is strictly prohibited on your business network. However, you also need controls and an enhanced security posture (IMHO) in addition to policies, awareness training and procedures to manage those components, if available. Not covered are risks inherit in SaaS and Cloud services (GitHub, Slack, etc) that need separate approach often tied into Development (CI/CD workflow, SCA, etc).
For best practices on what is allowed to run (and if its safe to run), IMHO it is possible to install multiple agents (log forwarding, file integrity monitoring, endpoint protection) to all endpoints rather than just your servers. One reason is as you move to Cloud or SaaS or M365, the endpoints will need to be protected as your on-premises infrastructure dwindles.
In addition to agent-heavy (but light enough for any W10/W11 laptop) monitoring, adding group policy management of browsers (presents unapproved extensions/configuration changes),and normal anti-virus/anti-malware agent and firewall controls is all part of endpoint 'execution' awareness.. By default, our IT Help Desk will deal with calls, listen for possible justification, and if plausible, direct them to their supervisor, et al, to begin exception approval process. For online / free tools, we have made most of the decisions on what we allow, what we are willing to pay for (we have many one-off tools or apps with 2 or 4 or 10 users rather than licensing side so we don't waste money to license all users in AD.
On the policy side, our Acceptable Use policy prohibits anything that is not for business unit on our devices, network, etc. and preserves business right to exercise continuous monitoring and shaping what is allowed and not allowed.
So, I guess (IMHO) our assessment is to deny all online tools, extensions, software add-ons by default.
With the 160 plus allowed apps, we don't see many we have to add. We have contractors, etc. work in limited environments, often without any means to access Internet once they are connected over the secured session. We have found any individual that couldn't deliver value and work with the app suites we use. Our weekly reviews (of immediate alerts) we confirm if app should have ran, was already known (hopefully always), and review entire session to see if the Internet endpoint (incoming/outgoing) was performing correctly (i.e., used the high security / encryption we require/request and don't send us 'downgrade encryption' requests that raise SOC alerts, etc.)
Last, we manage all allowed extensions, "free" tools" and software add-ons to always apply security updates; test and deploy latest version; remove old versions (Putty, Notepad++, etc.) and since we have inventory of who/what device is using said tools, we can auto deploy.
It wouldn't be possible, IMHO, if we didn't integrate assess all software running and/or installed and/or accessed within our continuous monitoring (log retention/analysis/correlation) provided with Managed Detect Response services, regular reviews with cybersecurity experts, and reviews with MDR value management (asset visibility, etc.).
We regularly monitor endpoint user devices for new scheduled tasks, installations, applications not already in inventory, plugins, current version checks, etc.
If you do have a MDR service, be sure it includes reviews of exposures, comparisons of top exploited apps vs your installed applications, tools, extensions, software add-ons, so you don't wait for monthly (Microsoft) or quarterly (Oracle) updates if your environment has any component that is stale or out of date.
Fortunately, we can test browser update status, OS status and anti-virus/anti-malware status (e.g., security posturing before granting VPN access) for every remove VPN connection -- and access is denied until those components are update to date before moving on to MFA process and getting authenticated.
CAVEAT: IMHO - I am concerned about deployment of Microsoft Code (VS Code) since group policy controls (what can be installed from marketplace) most likely isn't available. Fortunately our developers do not need Code for their Oracle Backend Development so we have to only track the Oracle tooling.
Original Message:
Sent: 06-23-2023 03:50 PM
From: Stephen Crouch
Subject: Assessing Free Online Tools, Browser extensions, and Software Add-ons
Can anyone share their policy and/or procedures on assessing free online tools, browser extensions, and software add-ons? These usually have click through agreements or do not require contracts. In most cases, security information is not available. And many times there is no contact to communicate with so sending a questionnaire is not possible. Is this type of vendor/third-party within your scope? and why?
-Stephen