Gap in patch priorities vs cybercriminal targets
Internet users are at risk from the rapid growth in software security flaws – specifically end-point vulnerabilities. Businesses should be doing far more to help themselves by improving their patching strategies which are often less than adequate.
According to a new Secunia report, third-party programs rather than programs from Microsoft are almost exclusively responsible for the growth in vulnerabilities, with the share of third-party vulnerabilities on a typical end-point, increasing from 45% in 2006 to 78% in 2011.
78% of vulnerabilities in 2011 affected third-party programs, by far outnumbering the 12% of vulnerabilities found in operating systems or the 10% of vulnerabilities discovered in Microsoft programs.
The report shows that the number of end-point vulnerabilities increased once again in 2011 to over 800 vulnerabilities – a tripling within only a few years – more than half of which were rated by Secunia as either Highly or Extremely critical.
The World Economic forum recently claimed that cyber crime is one of the biggest risks to global financial and political stability in 2012. “Many businesses are not doing enough to help themselves,” said Stefan Frei, Research Analyst Director, Secunia.
“By not addressing errors in software installed on typical end-points, organizations and individuals are in effect leaving their “windows’ wide open for cybercriminals to enter and compromise their most sensitive data,” he continued. “One problem often lies with the company’s security strategy. The programs that an organization perceives as top priorities to patch as opposed to the programs that cybercriminals target are often vastly different.
A typical corporate infrastructure contains layers of programs that organizations consider business-critical. Many organizations will focus on patching the top layer – business-critical programs – only.
Cybercriminals, however, will target all programs and only need one vulnerable program to compromise the host.”
The Secunia Yearly Report reveals that for an organization with over 600 programs installed in their network, more than 50% of the programs that are vulnerable in one year will not be vulnerable the next year, and vice versa.
“Therefore identifying all installed programs and implementing an agile, dynamic patching strategy according to criticality in the remediation phase, as opposed to a short-sighted approach of only patching a static set of preferred programs, clearly wins in terms of achieving optimal risk reduction with limited resources. 72% of vulnerabilities had patches available on the day of disclosure; therefore the power to patch end-points is in the hands of all end-users and organizations,” concluded Frei.
Other findings of the report include:
Vulnerabilities are resilient. Despite the number of vulnerabilities decreasing in 2011 in general, the five-year trend identified that none of the top-20 producers of software (commercial or open source) managed to decrease the number of vulnerabilities in their products.
End-points are top targets. This is because end-points are where the most valuable data (business-critical data, personal information, etc.) is found to be the least protected. Because end-points are dynamic environments with unpredictable usage patterns, this makes them difficult to defend and secure.
Complexity is the worst enemy of security. The Top-50 software portfolio installed on a typical end-point comprises programs from 12 different vendors (28 Microsoft programs and 22 third-party programs). It therefore involves 12 different update mechanisms to keep a typical end-point secure (1 “Microsoft update’ and 11 additional update mechanisms). The complexity involved in staying secure has a measurable effect on security levels.
Rare programs are also risky. It’s not just the usual suspects that are at risk- uncommon programs can also be exposed to cybercriminal attack. Analysing the market share against exploit availability demonstrates that all programs are at risk.
The complete report is available here (registration required).