Security Experts:

Organizations Failing to Upgrade Systems, Enforce Patches

Organizations Are Still Failing to Upgrade Systems and Enforce Patches, Study Finds

Duo Security provides multi-factor authentication to business. Part of its service includes behavioral aspects of the device, which means that Duo analyzes the state of the devices seeking access to its corporate customers' resources. This week the company published its latest analysis of business device security health: The 2017 Duo Trusted Access Report

The report (PDF) presents an analysis of 4.6 million business endpoints, including 3.5 million mobile phones across multiple industry verticals and geographic regions. In particular, it analyzes the operating system and browser used on computers, and the enabled security features on mobile devices.

"The big takeaway from this report," its researcher Kyle Lady told SecurityWeek, "is that we are still not doing a good enough job at upgrading systems and enforcing patches."

For example, although the uptake of Microsoft's latest Windows 10 (Win10) operating system has doubled from 15% last year to 31% this year, that still means that the vast majority of Windows usage in business is using old and sometimes unsupported versions of Windows. More than half (59%) of business Windows systems are still using Windows 7; and 1% are still using XP.

The importance of upgrading to W10 is illustrated by the recent WannaCry ransomware outbreak -- which rapidly infected more than 200,000 computers in 150 countries. W10 with automatic patching was protected; unpatched W7 (and unsupported W7 on Intel 7th Generation Core processors and AMD Ryzen systems); and all XT systems were vulnerable.

It is noticeable that healthcare continues to run a higher percentage of W7 than business overall (76% compared to 59%), and a higher percentage of XP (3% compared to 1%) -- and healthcare (especially the UK's National Health Service) was especially affected by WannaCry.

It seems that many firms are relying on the standard business hardware refresh cycle to effect their upgrade to Windows 10. "This will eventually get us to full Windows 10 adoption; but how long will that take?" asks Lady. "As we get better at making computers they are lasting longer and refresh cycles are lengthening." Meanwhile, these older systems will become increasingly vulnerable -- something that President Trump's recent cybersecurity executive order recognized in its instruction that government agencies must upgrade any 'antiquated' systems.

But it's not just aging operating systems that are a cause for concern. Duo also analyzed the results from its free simulated phishing solution, Duo Insight. This analysis looked at 3,575 simulated phishing campaigns with more than 80,000 recipients run over the last 12 months; and found that 62% of campaigns captured at least one credential and 68% had at least one out-of-date device.

The combination of successful phishing and out-of-date browsers is important. Just visiting a phishing site without entering credentials would probably not be dangerous (o-days aside) provided the browser being used is fully up-to-date. However, merely visiting the site, having second thoughts and immediately leaving can still compromise the user of unpatched browsers and operating systems.

The browser situation is little better than operating systems, with only 9% of business users browsing with Microsoft's Internet Explorer successor, Edge 14. By far the majority of users browse with IE 11 (76%) on Windows 7, but fully 13% of business users are still using the unsupported IE 8,9 and 10. This makes them particularly vulnerable to phishing and exploit kits.

"As underlined from many of the latest headline breaches," comments Mike Hanley, Sr. director of security for Duo Security, "unpatched, out-of-date software, systems and servers are prime targets for attackers armed with known vulnerabilities and malware. The 2017 Trusted Access Report shows that while we’re making progress in some areas like Windows 10 adoption, there is still much room for improvement across the board."

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.