Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Organizations Failing to Upgrade Systems, Enforce Patches

Organizations Are Still Failing to Upgrade Systems and Enforce Patches, Study Finds

Organizations Are Still Failing to Upgrade Systems and Enforce Patches, Study Finds

Duo Security provides multi-factor authentication to business. Part of its service includes behavioral aspects of the device, which means that Duo analyzes the state of the devices seeking access to its corporate customers’ resources. This week the company published its latest analysis of business device security health: The 2017 Duo Trusted Access Report

The report (PDF) presents an analysis of 4.6 million business endpoints, including 3.5 million mobile phones across multiple industry verticals and geographic regions. In particular, it analyzes the operating system and browser used on computers, and the enabled security features on mobile devices.

“The big takeaway from this report,” its researcher Kyle Lady told SecurityWeek, “is that we are still not doing a good enough job at upgrading systems and enforcing patches.”

For example, although the uptake of Microsoft’s latest Windows 10 (Win10) operating system has doubled from 15% last year to 31% this year, that still means that the vast majority of Windows usage in business is using old and sometimes unsupported versions of Windows. More than half (59%) of business Windows systems are still using Windows 7; and 1% are still using XP.

The importance of upgrading to W10 is illustrated by the recent WannaCry ransomware outbreak — which rapidly infected more than 200,000 computers in 150 countries. W10 with automatic patching was protected; unpatched W7 (and unsupported W7 on Intel 7th Generation Core processors and AMD Ryzen systems); and all XT systems were vulnerable.

It is noticeable that healthcare continues to run a higher percentage of W7 than business overall (76% compared to 59%), and a higher percentage of XP (3% compared to 1%) — and healthcare (especially the UK’s National Health Service) was especially affected by WannaCry.

It seems that many firms are relying on the standard business hardware refresh cycle to effect their upgrade to Windows 10. “This will eventually get us to full Windows 10 adoption; but how long will that take?” asks Lady. “As we get better at making computers they are lasting longer and refresh cycles are lengthening.” Meanwhile, these older systems will become increasingly vulnerable — something that President Trump’s recent cybersecurity executive order recognized in its instruction that government agencies must upgrade any ‘antiquated’ systems.

But it’s not just aging operating systems that are a cause for concern. Duo also analyzed the results from its free simulated phishing solution, Duo Insight. This analysis looked at 3,575 simulated phishing campaigns with more than 80,000 recipients run over the last 12 months; and found that 62% of campaigns captured at least one credential and 68% had at least one out-of-date device.

The combination of successful phishing and out-of-date browsers is important. Just visiting a phishing site without entering credentials would probably not be dangerous (o-days aside) provided the browser being used is fully up-to-date. However, merely visiting the site, having second thoughts and immediately leaving can still compromise the user of unpatched browsers and operating systems.

The browser situation is little better than operating systems, with only 9% of business users browsing with Microsoft’s Internet Explorer successor, Edge 14. By far the majority of users browse with IE 11 (76%) on Windows 7, but fully 13% of business users are still using the unsupported IE 8,9 and 10. This makes them particularly vulnerable to phishing and exploit kits.

“As underlined from many of the latest headline breaches,” comments Mike Hanley, Sr. director of security for Duo Security, “unpatched, out-of-date software, systems and servers are prime targets for attackers armed with known vulnerabilities and malware. The 2017 Trusted Access Report shows that while we’re making progress in some areas like Windows 10 adoption, there is still much room for improvement across the board.”

Written By

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.