Written by Matt Soccio, Security Analyst in SOS.
As announced on the Penn State News site, the University has partnered with Skillsoft Limited to launch the new online training program, Reporting Child Abuse. The web-based training program, which is mandatory for all University employees to complete, requires the use of a web browser with Java enabled, causing concern for many IT administrators given the recent issues with Java.
SOS recommends a layered approach to network security, and there are several ways to mitigate Java vulnerabilities in order to reduce your exposure and risk while maintaining the ability for employees to complete this mandatory training program. These solutions are not applicable to every network, nor is this an exhaustive list of recommendations. As an IT administrator, you will need to evaluate which solutions are feasible for your environment.
- Leverage virtualization so users can get to a thin app or a separate OS with a Java-enabled browser. This can be deployed and removed as needed.
- Use local labs that utilize easily replaceable machine images, where there is low potential for high-risk data.
- Set up spare hardware and schedule employees to use a specific machine for the training.
- If your firewall has application-filtering capabilities, many vendors allow for the creation of white and black lists for Java.
There is an active Yammer discussion regarding this issue. If you develop other solutions or have technical questions, please follow up in that thread. The Internet Storm Center (ISC) also has a very good post about situations when recommendations like “disable Java” conflict with business requirements.