Posted by Mike Schrock / April 14, 2015
Enterprise assets face a high level of risk because visibility to unpatched software vulnerabilities remains weak, leaving companies exposed to sophisticated and stealthy cyber-crime attacks.
How We Got Here
The business climate is changing fast: constant reinvention and rapid change are the name of the game, and our hyper-connected workforce is driving business productivity and agility through the roof. Organizational device usage has changed significantly over the last few decades. BYOD (Bring Your Own Device) adoption can be seen from the tablet-laden management team, all the way down to employees punching a timecard with their smartphone! I don’t think this need to stay “plugged in” 24/7 is going away anytime soon, but what are the implications for IT departments trying to enforce compliance and security in the infinitely complex and expanding world of BYOD? Similarly, cloud storage solutions are great for productivity, but how aware is the average employee (or CEO for that matter!) of the security risks they introduce?
IT has cautioned the business sector about the risks associated with this trend toward personal hyper-connectivity by stressing the need for more capital and human resources to safeguard company assets from cyber-attacks. Unfortunately, “the generals” often continue pushing the charge forward, hoping for productivity and revenue increases despite the cyber-security risks piling up in their wake. Investing in security software and infrastructure improvements takes a back seat to revenue-driving activities. Benjamin Dean, Fellow and Researcher for Internet Governance and Cyber-security at Columbia University, expands on this topic in a recent article outlining why companies aren’t given the proper incentives to invest in cyber-security.
The Enterprise Remains Vulnerable
The ever-expanding and porous nature of the corporate network perimeters, the adoption of BYOD and ShadowIT, SaaS sprawl and unauthorized use, policy violations via use of personal systems (i.e. Clinton’s use of personal email for State Department business) and the growing possibility of the crown jewels being hosted (and hoisted!) via public infrastructures like AWS, have all contributed to our increased exposure to cyber-attacks. When you add software vulnerabilities into this difficult to manage mix, the prospects look grim indeed.
In their 2015 Vulnerability Review, Secunia found that 87% of vulnerabilities were found to be patched within 24 hours of being discovered. It is important to note that while major OS, Browser, plugin and HW vendors are actually reducing the number of critical vulnerabilities, it may provides a false sense of security, as there are still 100’s of millions of exposed user devices that have yet to be patched or updated. Outdated and unpatched devices present a major security risk for companies, as they are substantially more vulnerable to outside cyber threats.
How big of a risk do these out of date devices actually pose? According to HP's 2015 Cyber Risk Report, 44% of of breaches in 2014 leveraged known vulnerabilities that were between two and four years old. In fact, the top ten known vulnerability exploits were all known and patched years ago.
Image Source: HP Cyber Risk Report via Tripwire
In OPSWAT’s October 2014 Market Share Report, 71% of surveyed devices were found to have outdated operating systems, and another 11% did not have their auto-updates feature enabled. Despite patches being readily available, most devices have auto updates disabled, which leaves them in a vulnerable state. Once the patch is issued, it must be applied, or the endpoint is still open to attack.
Vulnerability Protection for the Masses
We predict that the antivirus community will soon add product offerings for real-time vulnerability protection and patch management in a simple or detailed remediation format, just as they did for anti-spyware and anti-phishing. I’m already seeing signs of this in the anti-malware and endpoint protection community. In a recent review of Intel, McAfee agreed that the vulnerability of third party applications is an issue and should be addressed in the future, and Palo Alto Networks’ acquisition of Cyvera and new Traps offering is another symptom of a global move toward real time vulnerability protection. I applaud this, and think this is only the beginning. My hope is that the constant drive for progress, productivity, and new technology falls into tighter lock-step with security operations. Endpoint security developers must get out in front of this trend by building solutions that provide vulnerability assessment for both managed and unmanaged devices.