Internet users are at risk from the rapid growth in software security flaws - specifically end-point vulnerabilities - according to the latest Yearly Report (for 2011), released today by Secunia, the leading provider of IT security solutions that help manage and control vulnerability threats. And, the company claims, businesses should be doing far more to help themselves by improving their patching strategies which are often less than adequate.
According to the report, third-party programs rather than programs from Microsoft are almost exclusively responsible for the growth in vulnerabilities, with the share of third-party vulnerabilities on a typical end-point, increasing from 45% in 2006 to 78% in 2011.
78% of vulnerabilities in 2011 affected third-party programs, by far outnumbering the 12% of vulnerabilities found in operating systems or the 10% of vulnerabilities discovered in Microsoft programs. The report shows that the number of end-point vulnerabilities increased once again in 2011 to over 800 vulnerabilities – a tripling within only a few years - more than half of which were rated by Secunia as either ‘Highly’ or ‘Extremely critical’.
The World Economic forum recently claimed that cyber crime is one of the biggest risks to global financial and political stability in 2012. “Many businesses are not doing enough to help themselves,” said Stefan Frei, Research Analyst Director, Secunia.
“By not addressing errors in software installed on typical end-points, organisations and individuals are in effect leaving their ‘windows’ wide open for cybercriminals to enter and compromise their most sensitive data,” he continued. “One problem often lies with the company’s security strategy. The programs that an organisation perceives as top priorities to patch as opposed to the programs that cybercriminals target are often vastly different. A typical corporate infrastructure contains layers of programs that organisations consider business-critical. Many organisations will focus on patching the top layer – business-critical programs – only. Cybercriminals, however, will target all programs and only need one vulnerable program to compromise the host.”
The Secunia Yearly Report reveals that for an organisation with over 600 programs installed in their network, more than 50% of the programs that are vulnerable in one year will not be vulnerable the next year, and vice versa. “Therefore identifying all installed programs and implementing an agile, dynamic patching strategy according to criticality in the remediation phase, as opposed to a short-sighted approach of only patching a static set of preferred programs, clearly wins in terms of achieving optimal risk reduction with limited resources. 72% of vulnerabilities had patches available on the day of disclosure; therefore the power to patch end-points is in the hands of all end-users and organisations,” concluded Frei.
Other findings of the report include:
• Vulnerabilities are resilient. Despite the number of vulnerabilities decreasing in 2011 in general, the five-year trend identified that none of the top-20 producers of software (commercial or open source) managed to decrease the number of vulnerabilities in their products.
• End-points are top targets. This is because end-points are where the most valuable data (business-critical data, personal information, etc.) is found to be the least protected. Because end-points are dynamic environments with unpredictable usage patterns, this makes them difficult to defend and secure.
• Complexity is the worst enemy of security. The Top-50 software portfolio installed on a typical end-point comprises programs from 12 different vendors (28 Microsoft programs and 22 third-party programs). It therefore involves 12 different update mechanisms to keep a typical end-point secure (1 ‘Microsoft update’ and 11 additional update mechanisms). The complexity involved in staying secure has a measurable effect on security levels.
• Rare programs are also risky. It’s not just the usual suspects that are at risk– uncommon programs can also be exposed to cybercriminal attack. Analysing the market share against exploit availability demonstrates that all programs are at risk.
The Secunia Yearly Report 2011
The Secunia Yearly Report 2011 analyses the evolution of software security from a global, industry, enterprise, and end-point perspective. It presents data on vulnerabilities and exploits and the availability of patches and correlates this information with the market share of programs to evaluate the true threats. It addresses the main challenges in protecting an organisation’s software portfolio and suggests a strategy to best use limited security resources in light of the present dynamic threat environment.
Founded in 2002, Secunia (secunia.com) is the leading provider of IT security solutions that help businesses and private individuals globally manage and control vulnerability threats, risks across their networks, and end-points. This is enabled by Secunia’s award-winning Vulnerability Intelligence, Vulnerability Assessment, and Patch Management solutions that ensure optimal and cost-effective protection of critical information assets.
Secunia plays an important role in the IT security ecosystem, and is the preferred supplier for enterprises and government agencies worldwide, counting Fortune 500 and Global 2000 businesses among its customer base. Secunia has operations in North America, the UK, and the Middle East, and is headquartered in Copenhagen, Denmark.
Twitter: twitter.com/Secunia| Facebook: facebook.com/Secunia | Blog: secunia.com/blog/ | LinkedIn: linkedin.com/company/secunia.
Thomas Kristensen, CSO, Co-founder
E: tk[.]secunia.com - P: +45 2690 7565