In the changing landscape of business IT, security is a core concern to decision makers and IT administrators alike.
Over the past few years we have seen the rise of uptime-crippling ransomware, and recently in the news we saw the largest ever denial of service (DoS) attack perpetrated by hackers using the Internet of Things as a bot network. In both cases, damage could have been curbed by more robust business security policies and IT admins keeping tighter control of both company and personal end-user device vulnerability patches.
Most businesses are using cloud applications of some kind, or storing data outside of their network perimeter. In many cases end users will be using personal devices with known vulnerabilities, which the IT department has little or no visibility of.
This new IT model is making it more difficult for network administrators, as hackers are attacking end user devices directly.
To quantify this, DUO recently released a security health report based on a dataset of 2,000,000 devices including PCs, laptops, tablets and smartphones worldwide – secured using DUO’s trusted access platform to connect to business applications.
The results are startling to a security conscious IT service provider.
Why? Because the results are already skewed to show the better end of the spectrum of vulnerable devices. The report is limited to devices already using a good two-factor security solution, therefore the policies of the companies in which the devices reside are geared to take trusted access into account, and the system administrators have the understanding and insights to see the potential threats.
Key concerning findings
- A quarter of all Windows devices are running outdated and unsupported versions of IE.
- 60% of Flash users and 72% of Java users are running an outdated version.
- 50% of Windows XP devices are running out of date IE.
- Google’s Chrome browser is the most up-to-date browser among our sample size (82% of devices with chrome).
- Mac users are more up to date than Windows users when it comes to operating systems at 53% of devices, compared to Microsoft’s 35%
Devices running outdated Java
Devices running outdated Flash
XP computers using outdated IE
Fully Patched Operating Systems
- Mac 53%
- Windows 35%
Here is the conclusion DUO came to in the report:
- Don’t reject BYOD [Bring Your Own Device] — be prepared for it. Give your IT administrators actionable data on device ownership and health that can inform risk-based access control decisions.
- Encourage safe computing practices and good security hygiene, such as running regular security updates or using device encryption, passcodes and additional authentication to protect systems and data.
- Configure systems and deploy policies that enable automatic updates for as much software as possible to remove some of the friction that users feel when manually installing updates. We found that an overwhelming number of out-of-date browsers and systems don’t take basic steps like enabling automatic updates.
- Switch to browser platforms that update more frequently and automatically, like Google Chrome.
- Disable Java and prevent Flash from running automatically on corporate devices, and enforce this on user-owned devices through endpoint access policies and controls.
- Use a trusted access platform (such as their own) with endpoint visibility and strong authentication to business application functions
I agree with report’s conclusion, but I would also add security patching and regular management reports of vulnerable devices should be included in modern company IT policies.
This applies to the small business of 5 staff or the enterprise of 5000, and services like DUO’s make vulnerability checking and two-factor security for work and BYOD affordable to all markets.
Two factor authentication
Usually described as “Something You Know plus Something You Have”, in DUO’s case it is a username and password (something you know), plus a code sent to the end user’s smartphone (something you have). This second login precaution ensures the user is who they say they are.
Endpoint visibility solutions
These ensure the security and trust of your users’ devices before they connect to your company network. Invest in endpoint protection that gives you:
- Insight into every mobile, tablet, PC or laptop accessing your company apps.
- Ability to notify users when their devices are out of date and provide resources to update.
- Ability to create policies to warn and block users from accessing your apps with outdated devices to keep your company data secure.
DUO security is a trusted access provider using two factor authentication to verify both users and devices before granting access to business applications.
The full DUO security report is at https://duo.com/assets/ebooks/duo-trusted-access-report.pdf