State of the Endpoint: Vulnerable Software, Click-Happy Users

In-brief: a study of millions of mobile and desktop endpoints finds continued problems with out of date software and a willingness to fall for phishing attacks.

Despite near daily reports of damaging attacks on corporate networks, many corporate employees still get by running out of date operating systems, web browsers and plug-ins, that leave them open to attack and compromise, according to a report by the security firm DUO.

More than half of users with Adobe’s Flash software installed are running an out of date version of the software, while less than a third (31%) are running the latest version of Microsoft Windows, according to DUO’s Trusted Access Report. That, coupled with employees’ tendency to fall for so-called “phishing” campaigns and click on malicious links and attachments presents opportunities for hackers and cyber criminals to get access to sensitive networks.

Most endpoints studied by DUO were running Windows 7, almost wo years after Microsoft released Windows 10. (Image courtesy of DUO.)

The study, which was released on Monday, leverages data from DUO’s installed user base of 4.6 million endpoints including 3.5 million mobile devices. As such, it presents a unique portrait of the security posture of desktop, laptop and mobile device use in organizations globally. Among the findings:

  • Phishing attacks continue to be a highly effective tool. DUO analyzed 3,575 phishing campaigns against 80,000 recipients and found that 1 in 4 users clicked malicious links associated with such campaigns while more than 10 percent followed through and entered credentials as part of the attack.
  • Adoption of the latest version of Windows still lags. Just 31% of surveyed Windows systems were running Windows 10, the latest version of Microsoft’s operating system more than two years after its release. That’s more than double the percentage in 2016. But it still leaves more than two thirds of Windows users on an older OS. In fact, a majority of the Windows users studied – 59% – are running Windows 7.
  • The security of applications and plug-ins continues to be a sore point. Thirteen percent of endpoints studied were running a version of the Internet Explorer web browser that is no longer supported. More than half (54%) are running an out of date version of Adobe Flash – an increase of more than 10% from 2016. Twenty one percent of endpoints studied were running Adobe Flash version 24.0.0.194, which contains 11 critical security holes, DUO noted.
  • For mobile devices, Apple iOS users were more than three times as likely to be running the latest version of the company’s mobile operating system as Android users. Just 27% of Android phones analyzed by DUO were running the latest major version 7, while 73% of iPhones were running iOS 10 or above.

Lax security practices were not evenly distributed. The healthcare sector emerged as a laggard, with 76% of endpoints in healthcare organizations running Windows 7, far higher than average. Just 16% of Healthcare organizations had upgraded to Windows 10. In the technology industry, by contrast, 87% were running Windows 10. There were also vast differences between industries in adoption of security features like full disk encryption or, on mobile devices, lock screens and biometric authentication like Apple’s TouchID. Biotech workers were among the least likely to use full disk encryption – just 14% had it enabled, compared to 42% in the technology industry. Construction industry workers were among the least likely to use TouchID – just one in four had it enabled. That, compared to 78% of technology industry workers.

The good news? Users and organizations are moving away from vulnerable platforms like Java and Flash, exploits for which feature prominently in hacker toolkits. A quarter of endpoints surveyed by DUO had disabled Adobe Flash altogether, while 66% had disabled Java.

Check out the full report here.

Comments are closed.