S 2.223 Security objectives for the use of standard software

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: User

In most office environments standard software is used for typical office tasks. This includes word processing programs, spreadsheets, office communication systems, e-mail programs and databases. As these are often purchased from one supplier, reference will be made here to office packages. Because the same kind of software is widely distributed, it is possible for security weaknesses in these programs to have large effects as they can be used on many IT systems so that any malicious programs can spread very quickly. A typical example here is macro viruses (see T 5.43 Macro viruses).

In order to be able to avoid or reduce such problems, security guidelines should be specified regarding the use of standard software.

To secure the use of standard software such as office packages the following points must be taken into account in the context of IT operation and security management:

• Security of the application environment
  
  The security of all office packages and other standard software depends on the security of the hardware and operating systems used. Most manufacturers of office applications offer recommendations for secure configuration of the product as well as patches to eliminate identified vulnerabilities on their websites. These should be used.
  
  Office programs are also offered by Cloud Computing providers. On the client side, these programs run in the execution environment of the internet browser used. In addition to the security of the hardware and the operating system, another basic requirement for the security of such applications is therefore the security of the internet environment and the external provider (see also S 2.460 Regulated use of external services).

• Add-ins and macros
  
  Macros allow for the automation of processes in applications, but always pose a threat as they may contain malicious codes. A typical target of attacks by such macro viruses is, for example, the infection of the standard document template as they are automatically loaded when starting the relevant office application. Users should therefore be informed of this problem and how they can prevent macro malware (see S 2.224 Prevention against malware). This includes in particular that macros should not be executed automatically. ActiveX elements should be disabled whenever this is possible.
  
  These are expansions, some of which come from third party providers and which are executed by office components when needed, e.g. in order to correctly process and display hypertext elements. Only such add-ins should be installed which come from trusted publishers and which are tested and approved by IT operation. In this respect, it must be observed that by default the configuration options in some office applications are set to a low restriction level so that add-ins are generally considered trustworthy. The configurations should be adapted accordingly. In addition, all add-ins should be continuously updated from the original sites of the providers to keep them up-to-date from a security point of view.

Security safeguards during live operation

Office software and other standard software should never be started with administrator rights. Only data whose origin is considered trustworthy should be opened directly in the applications. Before opening files from external sources they must be scanned with a fully updated anti-virus program.

When exchanging documents these should be digitally signed and/or encrypted wherever possible.

Standard software is generally not designed to deliver a high level of security. All employees should therefore be informed that information requiring particular protection should not be handled on a standard office workstation without additional security measures. Some standard products nevertheless offer a number of security functions which, however, generally provide significantly less security than specialist security products. Users should be informed of these security functions and their effectiveness (see also S 4.30 Utilisation of the security functions offered in application programs). It is especially important here that users should not be lulled into a false sense of security and that the use of these security functions does not open up any security gaps. Users should be informed that office products are not suitable for every purpose.

Moreover, office packages often offer functions intended to facilitate the exchange of information, but which often by their very design bring with them major security problems.

Examples:

• Use of shared diaries
  
  To facilitate co-ordination within teams of workers, most electronic diaries can be networked. As well as many advantages, however, this can bring certain problems with it. For example, not everyone will want colleagues to be able to see all their appointments. The manufacturers have responded to this kind of objection by offering an option of only displaying to other people which time is free and which time is already booked.. Many people feel on the one hand that it will create a bad impression if a lot of free time is visible while on the other hand they are afraid that every free minute will be booked by colleagues with appointments. This can then result in large periods of time being blocked in reserve.
  
  Other problems can also occur, e.g. as a consequence of over-generous granting of rights.
  
  There should therefore be guidelines for the use of networked electronic diaries and the access rights that need to be considered here. These should be co-ordinated early on with the personnel or supervisory board. When networked electronic diaries are introduced, all employees should be instructed in how to use them correctly.
• CD-ROM autostart
  
  All the more recent Windows operating systems allow CD-ROMs to be automatically detected and started. This can result in malicious programs such as viruses or Trojan horses gaining access to the computer. Automatic CD-ROM detection should therefore be disabled (see S 4.57 Disabling automatic CD-ROM recognition).
• OLE (object linking and embedding)
  
  With OLE functions, objects can be embedded in files. These are used in many office products as a means of making information available to other programs. For example, this makes it possible for a table created in Excel to be embedded in a Word document. However, the result is that not only the information visible in the spreadsheet extract is transferred to the Word file but possibly all the other information contained in the Excel file. If the Word file is then passed to someone else, the recipient will also be able to view and even alter the Excel file, even if this was read- or write-protected with a password.
  
  To prevent this, in this example the table should be copied into the Word file as text. Only if the original Excel file contains no other information than the information whose transfer is intended should it be embedded in another file. This could be achieved, for example, by creating a new Excel file (see also S 4.64 Verification of data before transmission / elimination of residual information).
• PostScript
  
  PostScript is a page description language which describes exactly how information is to be displayed on paper or in corresponding display programs. As in addition to display options the PostScript command set also includes (restricted) instructions to modify files, problems similar to those encountered with macro viruses can occur. PostScript display programs are interpreters which process the PostScript language. From level 2.0 of the PostScript specification there are also PostScript commands for writing files. As a result it is possible to generate PostScript files which, during processing by an interpreter, can modify, delete or rename other files as soon as they are displayed on the screen.
  
  Many of the display programs available can be opened in such a way that the instructions from the PostScript files to be opened cannot result in any information in the file system. For example, in the widely used program ghostscript (gs) it is possible to disable the write facilities on files with the -dSAFER option. In general, it should be ensured that the display programs used are only opened in such a way that no unwanted modifications can be performed in the file system.
• PDF (Portable Document Format)
  
  PDF files may also be prepared and contain malicious codes which use security gaps. Functions such as program calls can be embedded in PDF files, and can pose a security risk to the files of the local IT system. JavaScript is used for such attacks in many cases. Mainly older versions of PDF applications are susceptible to such infiltration. Users are often lured to a manipulated website where a prepared PDF file is loaded in the background. The code hidden in the file is then used to install malware on the user's computer. It is not even necessary to open the file manually.
  
  Anti-virus programs detect infected PDF files in many, but not all cases, as the attackers constantly vary the malicious codes. Thus, it is even more important to regularly check the applications used to ensure they are up-to-date and to install security updates quickly.
  
  In Adobe Reader version ten and higher (Adobe Reader X), Adobe has integrated a sandbox (or "protected mode") to counteract such attacks. Users using Adobe Reader for viewing and editing PDF documents should therefore use the version Adobe Reader X or higher and use the "protected mode".

Active content in PDFs opens up security risks, but is rarely actually needed. For this reason, JavaScript should be disabled in the PDF display programs.

The most commonly used PDF viewers are Adobe Reader and Acrobat. Malware developers also orientate themselves toward market leaders. It may therefore also make sense to use less commonly used PDF viewers or at least have them available in order to be able to switch in the event of an acute warning.

• Fast saves under Word
  
  In Word there is an option allowing fast saving of text that has been written. This has the result that only modifications made to a document in the present session are saved into the document. This type of save takes less time compared with a full save, in which Word saves the entire modified file. However, a full save requires less storage space on the hard disk than a fast save.
  
  The critical disadvantage of fast saving, however, is the fact that a file can contain fragments of text which the author would not want to be passed on.
  
  As a general rule, the "Allow fast saves" option should therefore be disabled. Furthermore, the "Always create backup copy" option should be enabled. The system should regularly be cleaned up by deleting any backup copies that are no longer required.
  
  A user who nevertheless decides to make use of the fast save option should always carry out a full save in the following situations:
• once work on the document has been completed,
• before beginning a task that uses a lot of memory e.g. searching for text or compiling an index,
• before the document text is transferred to another application,
• before the document is converted to a different file format.

In order to be able to take action in good time against design weaknesses and security gaps that have become known, the administrator or IT security management should keep themselves informed about such problems (see also S 2.35 Obtaining information on security weaknesses of the system).

Review questions:

• Have the users been informed about the capabilities and limits of security functions of the software used and the storage formats used?
• Do the the security policies take software functions intended to facilitate the exchange of information into account?
• Are there security policies regarding the use of standard software?