Managing Risks of "Potentially Unwanted" Programs in the Enterprise
Potentially Unwanted Programs Put Enterprise Data at Risk. How do You Tell Good Apps from Bad Apps?
In the beginning we just had adware. These were genuine software applications usually free to the user, but supported – or monetized – by advertising. Over time, the advertising has become more intrusive; and some adware has evolved into Potentially Unwanted Programs (PUPs) or Applications (PUAs). Advertising is still the most popular, but no longer the only, method of monetizing the software – but in the worst cases the application is designed to disguise the advertising rather than the advertising to support the application.
We will use the term ‘PUPs’ throughout this discussion. It is also worth noting at the outset that some PUPs have further evolved into disguised malware downloaders.
As PUPs have become more aggressive and devious, endpoint security firms have become more efficient at recognizing and removing the worst offenders. But the security industry has always suffered from one major problem: many PUPs do not break the law. Deep within the end user license agreements, the user is told that information will be collected and adverts delivered – and that use of the application confirms agreement with the conditions. Where the user has allowed an application (by accepting the EULA) to harvest personal details and deliver advertising, it is difficult to say it is breaking the law. In such cases, it would be the security firm removing the PUP that is the party that acts illegally.
PUPs have gained a huge boost with the increasing popularity of smartphones and tablets, and user tendencies to download apps freely from app stores. Many of the free apps legitimately use advertising to fund their development. But the last decade has seen the rise of a second monetization method – the sale of users’ personal details and browsing histories to big marketing firms as fodder for targeted advertising. These are the two biggest problems that PUPs bring to end users: aggressive and intrusive advertising coupled with personal information harvesting.
Until the last few years PUPs were primarily considered to be a consumer problem. However, the twin themes of Bring Your Own Device (BYOD) and mobility have brought mobile devices – and their PUPs – into the corporate environment. The question now is whether PUPs should be considered a corporate problem as well as a consumer problem; and if so, what should be done about them?
The Vendor View
Jack Danahy, CTO at Barkly, explains the problem: it’s the word ‘potentially’. “These potentially unwanted programs are, by definition, potentially wanted programs. As such, their function as spyware or adware is not automatically unacceptable, and their existence does not automatically construe a breach.”
The difficulty for vendors is that it is not up to them to decide whether any particular application is wanted or unwanted by the customer. Nevertheless, this is what they are expected to do. “One person’s PUP is another’s nifty Chrome extension,” adds Danahy.
“A big issue for security vendors is the threat of legal action coming from the PUP side, and the time consumption that it takes to verify how PUPs are distributed and installed,” comments Luis Corrons, technical director at PandaLabs. ”It is a very complex ecosystem with many different players involved.” For this reason, there is little consistency among vendors over how to handle the problem.
And yet PUPs are a growing problem for enterprises. “They are a big problem,” confirms Corrons. “One of the main problems is the use or waste of resources: network bandwidth, local CPU, Disk, RAM etcetera. It is hard to quantify, but if we took a look at the figures many admins would be really shocked.”
“While many are not ‘malware’,” adds Dan Schiappa, an SVP with Sophos, “they can still do disruptive things. PUPs can hijack browsers and replace plugins, search engines, etc. This can drive traffic telemetry and other information to their systems.”
Panda Security’s Q1 2016 report places PUP infections second only to trojans. “PUPs are positioned in second place with a quarter of the infections, well ahead of the Adware/Spyware (4.01%), worms (3.03%) and viruses (1.95%),” says the report.
But it’s not just a resource issue. “Many of these applications download and install other software,” continued Corrons. ”Who can guarantee that they won’t be delivering some kind of malware at some point in the future?”
The growing issue for corporates is that new BYOD policies and mobile working has the potential to deliver PUPs from the consumer into the business environment. “IT has no idea whether they are good or bad,” explains Simon Crosby, CTO and co-founder of Bromium. “Users assume they are good, but they may not be. Malware often masquerades as new utilities or media players, and AV software has no idea whether they are malicious, particularly if the app is signed. So PUPs are a huge problem for security conscious enterprises.”
And malicious PUPs can be very malicious. “PUPs are frequently used by attackers to exfiltrate data or perform administrator type functions to accomplish malicious goals,” warns Jon Miller, Chief Research Officer at Cylance.
The endpoint security firm with perhaps the strongest reputation for taking a firm stance against PUPs is Malwarebytes. “Based on the information that is being gathered by the PUPs and the way that the PUPs infringe upon the usual interaction between a user and the Internet at large, we feel that removing these PUPs from the user experience provides a benefit to our customers and users.”
On October 19, 2016, Malwarebytes announced its intention to acquire AdwCleaner. “AdwCleaner is a popular product, installed over 200 million times, and used by consumers, technicians, and enterprises all over the globe to remove adware, browser hijackers, other potentially unwanted programs, and more,” wrote Marcin Kleczynski. “As I write this, it averages more than 200,000 downloads per day.”
“PUPs ultimately increase an organization’s attack surface, which in turn increases risk for an organization,” says Scott Gainey, SVP & Chief Marketing Officer at SentinelOne. The solution, he suggests, is that organizations need to use a combination of PUP whitelists and blacklists, allowing those whitelisted and denying all others. This, in one way or another, is how all vendors try to solve the problem, with varying degrees of success. The difficulty is in deciding between trusted apps (whitelist) and PUPs (blacklist).
The Corporate View
Security practitioners, who need solutions for their own unique environment, often take slightly different views to the vendors who try to sell a single product to everyone. SecurityWeek spoke to six past and present security officers to get their views. Opinions ranged from ‘a good sized annoyance’, to a problem that ‘can introduce great risk into an environment if left unchecked.’
Todd Borandi, a Lead Information Security Architect, links concerns to the wider issue of application security in general. “Every well-known exploit in recent years has been the result of an exploited application and insecure software,” he says. The problem with PUPs is they are outside the immediate purview of the security team, and possibly rooted on a device not owned by the company.
“If the device is owned by the organization, the organization can control applications in a variety of ways using whitelisting, distribution images, virtualization, sandboxing, and so on. The challenge,” he suggests, “is similar to when a user on a BYOD brings the device in and plugs it into a desktop computer ‘only to charge’ the device. Here policies and security awareness training often play a role as applications get easier to make, distribution to users becomes easier, and people care less about the size of an application. An example is the flashlight app that should be maybe 200k, but there are apps for your flashlight function on your phone that are over 1MB in size. When people download these apps they do not consider what else the app may be doing; and what it could do when you plug it into a desktop system.”
To a degree, the approach taken to the PUP issue can be governed by the organization’s market sector and its employee risk stance. For example, student and researcher dominated environments accept that they need to give their users a higher than usual degree of freedom – students tend to push back against ‘freedom’ restrictions more aggressively than most paid employees. In fact, CISOs do not generally like to say ‘no’ to their users at all; they prefer to say ‘yes, but like this’.
Steve Lentz, security officer with Samsung Research America does not have a specific anti-PUP defense. His view is largely that adequate and overall security in depth will neutralize any PUP-specific threat. He believes that next-gen firewalls combined with network APT/DLP and endpoint solutions will suffice.
“For BYOD you need a good security system to prevent problems – not just MDM/EMM. There is a misconception that MDM or EMM provide security; they provide basic security but are mainly used to manage devices. You need a good 0-day malware solution for mobile devices, such as Checkpoint’s MTP. Add Samsung’s KNOX to secure the phone all round. Again, defense in depth.”
Heavily regulated companies may have little choice over how they tackle PUPs. Aviva is a financial services company involved in insurance, savings and investments. Iain Hunneybell is CISO at Aviva Digital. “Like most corporates and certainly corporates in a regulated environment,” he told SecurityWeek, “we strictly control what is and can be installed on machines – and of course users have no ability to install anything themselves. Hence we don’t suffer from PUPs as these usually come hidden in some other package. As only ‘vetted’ applications can be installed, we weed out anything like this. Also, our selection of software would tend to exclude anything that might package a hidden PUP.”
He accepts that this tightly regulated approach is not always popular “where some users are more familiar with ‘freer’ creative environments” but it is simply something that has to be enforced. “If you can ‘catch’ a PUP, you’re not too far from catching something much nastier. That’s why we’re so careful on these points.”
The nuclear solution to PUPs is to deny users the ability to install anything, and refuse to allow BYOD. An alternative approach would be to employ such overall security in depth throughout the environment that there is confidence that PUPs will be detected and dealt with in the normal course of events. Where BYOD is in place and users need to feel not unduly constrained, the solution is to control the BYOD devices’ access to the network. But all of these approaches suffer from one drawback: in preventing the existence of potentially unwanted programs, it is easy to accidentally prevent the existence of wanted programs that could increase user efficiency.
Long-term Solutions to the PUP Problem
“For large corporations with established IT departments and dedicated personnel, the problem is not so big,” comments security consultant Sorin Mustaca. “Usually, they have policies that apply to mobile devices which enforce certain security features, but not all. Nevertheless, the danger is there, because PUPs come very well masked under legitimate programs needed by businesses as well as by consumers.”
The implication here, of course, is that smaller companies and consumers with limited resources will continue to find PUPs a problem.
“Fortunately, most anti-malware products detect PUPs these days and offer the user the option to block them. In any case, with and without anti-malware products, the users should install only software from trustworthy sources or directly from the producer’s website. In Enterprises, assuming that the policy allows the users to install software, they should install only certified software (whitelisted by the company) or directly from the producer’s website.”
‘Whitelisting’ is the key to solving the PUP problem. If only known good apps can be installed, then there is no PUP problem. The difficulty for both the enterprise and the security vendor is in maintaining that whitelist. But one company believes it has the solution: AppEsteem.
AppEsteem was founded by Dennis Batchelder, who is also President of the Anti-Malware Testing Standards Organization (AMTSO). Batchelder prefers to describe these applications not by the epithet of PUPs, or PUAs, but by their operational methodology – software monetization applications. This avoids the issue or ‘wanted’ or ‘unwanted’, and accepts that there are genuinely wanted apps that behave in an acceptable manner.
What most people call a PUP Batchelder describes as a free application that makes money for its developers by various methods within or associated with the app. He does not say that this is a bad thing – he gives the example of free anti-virus products that include adverts urging the user to buy the full professional version. Essentially, this is the same behavior as a PUP; but this app is not usually unwanted, and is easily removable. What we term as a PUP can be either a good PUP or a bad PUP: the bad ones use monetization methods that verge on fraud.
So the problem is there are good monetization apps (those that make their methods clear and allow the user to make an informed choice) and bad monetization apps (those that disguise or hide or covertly increase their methods unknown to the user).
The issue for the enterprise, however, remains the same: how do you tell the good apps from the bad apps? How do you get that whitelist of good apps that allows you to block everything else? This is the purpose of AppEsteem. It has developed an app certification scheme that can be monitored and therefore enforced. The ultimate aim is that all good apps will certify themselves with AppEsteem. That becomes the whitelist that can be used by enterprises with minimal effort and by security vendors with maximum accuracy.
If this succeeds, it will go a long way to solving the PUP problem without damaging the legitimate software monetization ecosphere.