A report from Duo Labs examines the general health of 2 million devices, all of them running the Duo's two-factor authentication application. The devices, including laptops, desktops, tablets, and phones, highlight the pain that comes with allowing users to incorporate their own devices into the network.
In Verizon's most recent Data Breach Investigations Report, the data showed that basic defenses continue to be sorely lacking in many organizations.
And while security professionals continue to doubt Verizon's list of exploited vulnerabilities, the general fact that previously patched vulnerabilities are often the primary target of criminals holds true – it's why patching and patch management is so important.
However, when Duo Labs looked at the state of their customer devices, again working with a sample of 2 million systems, there was a clear gap when it comes to basic security hygiene.
"Our data indicates a high rate of out-of-date and vulnerable endpoints that can expose your company’s apps and data to malware, credential theft, and a potential data breach," the report states.
Of the devices with Java and Flash installed, the majority of the installations were out of date – 60-percent for Flash and 72-percent for Java.
Vulnerable Flash and Java installations are one of the reasons criminals have been able to spread Ransomware to organizations the across the globe. All it takes is just one vulnerable installation for the criminal to get a foothold, and most exploit kits serving Ransomware target Flash and Java.
HTML 5 has rendered Flash obsolete for the most part, but Java continues to be required for legacy systems, which organizations need for day-to-day operations. Until they can both be fully wiped from the network, they're a known risk that administrators will have to deal with.
Another problem is Internet Explorer.
Duo Labs discovered that 25-percent of the Windows devices in their data set were running outdated versions of the browser, and half of the Windows XP systems are on either Internet Explorer version 7 or version 8.
Given that Internet Explorer is still something many organizations can't just dump, ensuring that the latest version is available is the best option. No one can ignore the fact that Microsoft's legacy browser has a huge target painted on its side.
Speaking of browsers:
"Eighty-two percent of Chrome users are up to date, compared to 58 percent of Edge and IE 11 users, and 66 percent of Firefox users. Chrome users may be more up to date than other browsers since Google rolls out updates and new versions automatically to Chrome, without required approval from the user." - Duo Labs, Trusted Access Report
Finally, Mac users were generally more up to date than Windows users when it came to OS footprints. The report notes that only 35-percent of the Windows installations were currently supported by Microsoft. On the other side of that coin, 53-percent of the OS X installations were current.
Duo Labs suggests that this is because Apple's updates are generally more stable and don't require any testing or staging.
In some cases, this is true, but Apple has a way of incorporating updates as part of their experience, so many users simply want them. When it comes to Microsoft on the other hand, updates are a chore and have been known to break things.
When it comes to security, having the basics in place (or the ability to do them) will save organizations from many problems. However, a lack of basics is a great way to ensure that what would've been a small issue, transforms into a time-consuming resource drain of a nightmare.
The full report is available on the Duo Labs website.