Gartner Blog Network

Attackers are Moving up the Stack. So Should We.

by Neil MacDonald  |  April 15, 2009  |  1 Comment

I had an interesting discussion with a client this week. They were trying to understand how several recent outbreaks of malware had gotten past their existing defenses.

In reviewing their architecture, it became clear that while they had an established process for patching Windows and Office, they hadn’t yet extended the process up the stack to their common desktop elements like the Adobe Acrobat reader, Adobe Flash, various media players, antivirus, Firefox, Chrome, Safari, and any other software element that was present in a majority of their desktops.

As we get better at patching the OS level and as the OS vendors get better at writing more secure software (Apple still has some work to do…), the bad guys are turning their attention “up the stack” to applications and users. Applications which are present on lots of endpoints are an attractive target.

Adobe’s recent zero-day vulnerability in Acrobat (where a malformed PDF could be used to execute arbitrary code) drove this point home. Do you know what version of Adobe is installed on each and every machine in your organization? Have they all been patched? How about Firefox? Chrome? We have got to get a handle on common desktop software versions and the patches that come with them.

The attackers are moving up the stack. So should we – by extending our existing vulnerability and patch management processes to include all common desktop software elements.

Category: application-security  beyond-anti-virus  

Tags: application-security  

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Thoughts on Attackers are Moving up the Stack. So Should We.

  1. Neil,

    Another good blog post – thanks. Yes, totally agree again. As we “harden” the hardware and lower stack, the vulnerability and attack surfaces move higher. Therefore we must begin to address how we address the trust/safety/integrity and security of the the entire stack.

    From the time power hits the processor, thru login, at and during application load processes, and continuing thru network services – we need to have some notion of transient trust promotion.

    Microsoft has been messaging this (as most of us know) as “end-to-end” trust — so it is really what I said above repeated for both ends of a “trusted and secure” transaction between two endpoints and/or business process interchanges.

    We like to think of this as creating and passing the “trust baton” up and across the layers – attesting to some independent or federated trust references along the way.

    There are many challenges with this of course, not the least of which is vendor cooperation in the creation of to “trust baton”, and the passing of the baton up and through the various layers.

    All of this argues in favor and supports some of your prior posts IMHO. Let’s think about adding a “trust credential” when we are gating information and data transactions.

    Sort of a “FICO score” for platforms. With some proactive expression of positive trust and platform health (possibly leveraging whitelists) one could gate IDENTITY and PLATFORM trust credentials via NAC/NAP/UAC frameworks in some normalized way.

    With these type of methods, we might have a prayer of closing some of the full stack exposure issues that you point out.

    And we need to do that across a heterogeneous and increasingly vulnerable ICT infrastructure that the world depends on for just about everything these days.


Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.