Free software and applications are easily available to anyone with access to the internet. Some make life convenient and empower productivity. But, according to Brenwin Traill, an IT security expert at Securicom, companies are beginning to see that they aren’t so free after all.
“As the old adage goes, you get what you pay for, and in some cases free apps and software actually cost companies money and more,” he says.
Traill says with the consumerisation of IT, consumers have all manner of applications and software at their fingertips, just waiting for the taking from the internet or an app store.
“The sky is the limit; everything from automation tools, voice and video conferencing, remote access, data backup, you name it,” he says. “Employees are downloading their favourite third-party applications to make their jobs easier. File sync and sharing apps in particular are extremely popular and allow employees to store vast amounts of company information in the cloud.
“Other commonly used applications include instant messaging tools. Of course, these come with the risk of exposure of critical and confidential business information, or malware infections. This is why companies should be concerned,” says Traill.
Companies are also opting to free software to avoid purchasing it for their environment, or because it offers the types of tools and features they want.
“A paid-for official software product that can do 100% of what you need can cost hundreds of thousands of rands, but there might be a free product than can do 70% or 80% of what you need at zero cost, and nothing beats free. Software as a Service (SaaS) is emerging to be an alternative to outright purchase. The SaaS model allows companies to only pay for the software while they are using it, essentially renting it for a short time.
“The real trouble starts when employees install applications without company approval. In these instances, the software is usually installed on an employee’s workstation, laptop or corporate mobile device. However, we have seen cases where software has been installed on servers inside production environments without management approval.
“A lot of time employees know of or hear of an app that can make their work life easier. They download the software and unknowingly put the company at risk.”
He explains that free software is typically not up to standard when it comes to security and stability mechanisms built into the application. Some apps are written by a single person or a small team, and security is not their main focus.
Companies also do not receive support if something goes wrong. Many only realize that the backup solution they installed doesn’t actually do what it is supposed to until it comes time to restore information after a failure. Files can be lost or altered, and retrieving and resolving the issues can become expensive business.
“We had a recent case where a company was using a free tool for remote administration of production servers. This tool allowed admin passwords to be saved for convenience and a malware infection on an administrator’s laptop gave attackers a line directly into the businesses core servers and allowed them to wreak havoc on the network.”
Traill lists free software to avoid:
* Remote access tools. While great for helping you to fix mom’s printer from an internet café, these remote access tools don’t have a place in a corporate server environment. Remote access needs to be restricted and monitored so that access can be revoked if needed.
* Peer to peer software. These work on the principal of collective downloading. You don’t download a file from a single place and instead you grab smaller pieces from multiple places that have parts of it. While great in principal, you don’t know the contents of the file until the download is complete and it could contain malicious code. Usually these applications also want you to “share” a folder on your PC, if not correctly configured you might give access to your entire system.
* Proxy applications. These are designed to disguise certain traffic as something else and are typically used to circumvent other security devices on the network. These are risky as this traffic cannot be inspected and can contain malicious traffic without anyone knowing about it.
Not all free software should be considered bad, he adds. However, he stresses that there needs to be an approval process whereby an employee can request software to complete a task. This software needs to be tested and made sure it meets the company’s IT security requirements and be tested for vulnerabilities if possible.
The ultimate safeguard is for company computers and devices should be locked down so that staff is not able to install software that is not approved. If this is not the approach a business wants to take, education becomes paramount. Employees must understand the risks and not install software without approval.
“If you have network devices or firewalls that are application aware, you can define what applications are allowed to move across the network and setup policies to block high risk or unapproved applications,” says Traill. “On a workstation itself, you can define a policy where a normal user cannot install new software.
“From a corporate mobile device perspective almost all MDM solutions allow administrators to define allowed and blocked applications. It is all about control. As long as software is tested and meets the organisation’s internal security requirements, it should be safe to use.”