If you haven't heard about it by now, let me clue you in: Java is a security nightmare. A few days ago, a zero-day exploit for Java 7 became widely-known. The exploit bypasses Java 7's security sandbox and permits attackers to download and execute code without user interaction. The attack is already available in Metasploit and in the Blackhole Exploit Kit (BEK). Since it's in BEK, users are now susceptible to this attack via so-called "drive-by" web hacks. All a user has to do is get unlucky and visit a compromised site (and there are a TON of compromised Wordpress sites out there) and their machine is compromised.
Java 7 is new enough at this point that it is not widely installed. Java 6 is the most widely-installed version at this time, and is not susceptible to this particular attack. Unfortunately, Java 6 has a whole host of security issues if you are not running one of the two most recent versions (6u33 or 6u34 as of the date of this post). BEK exploits just about all of these issues, too. You may think Java is auto-updating on all your user workstations in your corporate environment, but trust me, it's not. It may be auto-updating on a few workstations, but certainly not anywhere near most.
So what is the defense in the corporate environment? First, you can try to ensure that all of your Java installs are up-to-date (and that Java 7 is uninstalled Java 7u7 is now out to address the issue) using a system configuration management (SCM) tool, or even via Group Policy Software installation as I describe in this previous post. But it turns out that SCM tools are tough to configure and use, and Group Policy Software installations usually only occur when a computer is rebooted. Most of my users don't reboot their machines too often. Of course, you could force a weekly reboot via Group Policy, but that's still imperfect since users may be up to a week behind on the software update...
Your second defense is a web proxy. At this point, most IT managers and CISOs will shudder and tune me out. But I beg you to read on for just another minute or two. Many view a web proxy as a draconian measure as it will intercept, examine, and potentially limit user's access to the World Wide Web. In order to have complete coverage, an organization must also install an SSL web proxy, which essentially man-in-the-middles all SSL traffic. There is a definite potential impact on user privacy since many users may access their online banking accounts (among other sensitive sites) from the office. But in many cases, you can add specific sites to the web proxy that tell it to permit the traffic without inspection, so there are ways to minimize the privacy problem.
But as an IT manager or CISO, your duty is to protect the value of the enterprise and its data, not the privacy of your users. Internet access while on the job is a privilege, not a right.
Most web proxies can be configured to scan for malicious objects and block access to them automatically. So, in addition to solving the Java problem described above, you also solve the problem of malicious PDFs, Flash objects, Office documents, and Javascript. Sure, in some cases benign content will be blocked, but again, Internet access while on the job is a privilege, not a right. If some content is blocked on a website that is required for business reasons, the web proxy can be configured to white-list that content (or the entire site). TRUE's recommendation would be to block all Java and Flash objects by default, and then permit only those which are necessary for the proper functioning of a website that a user needs for legitimate business purposes. Even then, only objects should be white-listed, not an entire site. (You never know when your business partner's Wordpress website is going to get hacked.) The web proxy should be treated just like a firewall - deny all the bad stuff, and then permit only what is necessary.
Now for some anecdotal evidence on just how useful a web proxy is in the enterprise environment. Out of all the Network Security Monitoring (NSM) customers we have, only two use an enterprise-wide web proxy. And I'll let you guess which two customers almost never have an incident involving the compromise of a user workstation. Yep. The two that have a web proxy. I'm estimating that 95% of the user workstation incidents we detect and notify clients on would be prevented by the use of a web proxy. Most of the IT managers and CISOs I have contact with and have explained the issue to agree that they need to get a web proxy. The most common reason I hear for not installing one - "It's not a politically approachable topic at this time." Sometimes that's the way it goes...
And so clients continue to get hacked. Large volumes of data continue to be exfiltrated to Russia and China. IT staff continue to have to scramble to clean up infected machines, even as they deal with more and more services that require high-availability. And, IT continues to get blamed when data is lost. It makes me cry a little bit inside each time I hear of it...
Please seriously consider the information security benefits to the enterprise with the use of a web proxy. Help out your shareholders, and your IT staff.
That is all.