It isn’t news that software piracy is a big problem for software vendors. Illegal use of applications has been going on since the first PC rolled off the line. What might be news, however, is the negative impact piracy might have on the Internet and on your company network.
Many computer users won’t pay retail prices for applications like Windows XP or Microsoft Office. So, large markets for cheap or free pirated software become possible. Selling Office and other high-priced applications for a fraction of the market price, illegal software vendors are reaping huge rewards. The following graph depicts the results of a 2004 online poll that asks, “Why would you use pirated software” (CastleCops, 15 Oct 2004).
Only about 28% of the 7,341 respondents said they wouldn’t use pirated software. This leaves over 5,000 individuals, or 72%, who appear to have no problem downloading and running unlicensed programs. Granted this isn’t a “scientific poll”, but I don’t believe it deviates very far from reality.
In addition to depriving software companies of billions in revenue, the illegal software trade has another, potentially more sinister impact. A large number of pirated titles include something extra with the desired functionality—malware. According to Coenraad De Beer, founder of Cyber Top Cops, the number three culprit in the spread of malware is software piracy sites (“The Top Ten Culprits Causing Malware Infections”, 3 Jan 2007). In addition to downloading unlicensed infected applications and utilities, many of these sites attempt to install unwanted software on any connected workstation. And newly released software is not immune. DriveSentry researchers found malicious key-logging software and spyware on about half of the cracked Vista downloads available on the Internet (Robert McMillan, “Half of pirated Vista is malware”, IDG News Service, 25 Jan 2007).
It isn’t just pirated software that presents a risk. Number two on De Beer’s top ten list is illegal music and movie download sites.
Why you should care
Putting aside all the arguments about the evils of software licensing practices, the fact remains that using pirated software presents three business risks. First, the large number of users around the globe that install pirated software increases the potential for botnet recruits. As the number of bot infected systems increases, so does the potential for more spam, denial of service attacks, and targeted attacks against specific industries, organizations, or governments.
The second issue is the infiltration into businesses of malware installed by employees or carried in by vendors on laptops. Essentially bypassing perimeter anti-malware controls, infected pirated software can be inserted into an enterprise network by often well meaning employees.
Finally, even if an organization has a well-run patch management process, chances are that illegally installed programs will not be on the programs-to-patch list. Unlicensed and unpatched programs increase business risk as vulnerabilities are discovered and exploits released into the wild.
Mitigating the risk
Protecting an organization’s network from external threats caused by the distribution of infected software requires the same controls that should already be in place. Firewalls, malware scanning solutions, and intrusion detection and prevention solutions are the first line of defense.
The infiltration of malware through employee or vendor action requires taking the perspective that system-specific security perimeters must be established internally to protect an organization’s critical information assets. Network segmentation and workstation health enforcement through the use of VLANS, secondary VLANs, and network access control are a good start. These controls should be supplemented by removing users' local administrator access, thereby preventing the installation of any applications by anyone except authorized IT personnel.
For those organizations in which local administrator access must remain, management should consider the implementation of a solution to restrict installation of software. This protects against the inadvertent infestation of a network as well as the implementation of software not on the patching team’s RADAR. SurfControl’s Enterprise Threat Shield is an example of a product that controls both the execution and installation of software by either individual program or by application category.
The final word
Even a well designed, layered defense isn’t 100% effective against attacks. As the number of potential attack launch points increases, the possibility that something will get through also increases. The best way to defend against the growing threat caused by illegal software is to support efforts to enforce software copyrights. And because many software companies are pricing their products at a point that encourages piracy, I believe pressure should be applied to encourage more realisitic licensing/pricing models.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.