Cybersecurity Survey Reveals Endpoint Risk

Cybersecurity Survey Reveals Endpoint Risk

A survey conducted at Black Hat 2015 reveals that endpoint poses the greatest security to threat to cybersecurity, with 90 percent of respondents stating their organizations would be more secure if Flash was disabled.

Black Hat 2015: State of Security, released by Bromiun Inc. yesterday, also reveals that a large number of businesses find the implementation of patches for “zero-day vulnerabilities” in the software they are using (including Internet browsers and Flash) to be an enormous challenge. While most believed that the recently launched Windows 10 does improve security, a third said these improvements were not sufficient.

Flash has become a prime target for hackers, thanks to the popularity and widespread use of the software, so it’s no surprise an overwhelming majority of those surveyed believe their organizations would be safer without Flash,” Clinton Karr, senior security strategist at Bromium told CloudTweaks today. “This has been a huge topic within the industry as we’ve seen numerous critical patches for the software over the course of this year. As hackers continue to exploit Flash users, it’s extremely important for companies to consider disabling it or to turn to new technology that doesn’t jeopardize productivity and security.”

Bromium, considered a pioneer in threat isolation technology to prevent breaches relating to data, surveyed more than 100 IT professionals at the annual Black Hat conference held in Nevada earlier this month.

They asked participants:

  • To identify the source of the greatest security risks in their organizations
  • State whether their organizations would be more secure if Flash was disabled
  • If their organizations would be less productive and/or if critical applications were likely to break if Flash was disabled
  • How quickly organizations implement patches for zero-day Vulnerabilities
  • Which industry is most at risk of cyber attacks
  • Which industry implements the best security practices
  • What they thought about Windows 10 security features
  • Whether they were planning to upgrade to Windows 10

The Endpoint Identified as the Greatest Security Risk

The survey found that most participants were cynical though pragmatic, identifying that end users introduce the greatest security risk. A total of 55 percent selected the endpoint, while 27 percent said insider threats were the biggest problem. Only 9 percent said the cloud was the greatest risk, and 9 percent said networks.

Researchers did not find this surprising, since the human element is an obvious security risk – particularly when people use untrusted networks outside their office or home environment, including coffee shops, hotels, and airports. This human element not only increases the endpoint risk, but also the risk of cyber attack, largely because typical detection-based security solutions like antivirus simply don’t identify malicious content on the Internet or in emails.

Impact of Flash on Security and Productivity

flash

There is no doubt that IT security professionals are ultra-aware of the security threats Flash poses, with 90 percent of survey participants stating that their organization would definitely be more secure if they disabled Flash. This is in keeping with an earlier Bromium Labs report Endpoint Exploitation Trends, that found Flash had been responsible for more “exploits” than any other software during the first half of 2015. Further, Flash vulnerabilities are currently so overwhelmingly problematic that YouTube has switched from Flash to HTML5; Mozilla has temporarily blocked Flash from Firefox; and the new security chief of Facebook, Alex Stamos has called for Flash to be “killed.”

According to the Black Hat survey report, the reason there are so many Flash exploits is simply because of the popularity of the software, just as Java exploits used to be very common.

The challenge for IT security professionals is that disabling Flash is not always an option they can choose – specially since many operations teams insist that it will make the organizations less productive and even “break” some of their critical applications if it was disabled.

Of those who participated in the survey, 44 percent said productivity would be adversely affected.

Implementation of Patches to Overcome Security Vulnerabilities

Implementing patches was reported to be a major problem for many of the information security professionals who responded to the survey. Only 10 percent said they were able to implement patches for “zero-day vulnerabilities” in the first day after patches were released. Considerably more – 50 percent – could get this done within a week; 22 percent said it takes a month or more.
The greatest concern was for organizations running vulnerable versions of Flash since they could easily be compromised by exploit kits like the currently popular Angler.

Industries Most at Risk

While most information security professionals felt critical infrastructure in general was at the most risk of cyber attack, when asked to identify which industries were most vulnerable, 30 percent said financial services. However, ironically, 60 percent felt that financial services had the best security practices, followed by technology (27 percent.)

While 12 percent identified government as being most as risk, 17 percent named health care, and energy equally. Other industries mentioned included retail and transport, both of which were identified by less than half the respondents.

Reaction to Windows 10

There was mixed reaction to Windows 10, with many professionals (40 percent) having zero opinion about it. Nevertheless, 23 percent said security was dramatically improved, while 33 percent said the improvement was not sufficient. Only 4 percent said that there was no improvement at all.

Since Windows 10 was released shortly before Black Hat 2015, none of the respondents had upgraded to Windows 10: only about 10 percent planned to upgrade in the next three months. A large percentage (40) had no plans to upgrade, and 31 percent said they would wait at least a year before upgrading.

Ultimately, the Bromium survey found that whilst the endpoint is currently considered to be the greatest security risk, the human element is just one element of the risk. The other major vulnerability is software, which is a trend the company continues to research on an ongoing basis.

By Penny Swift

The Sticky Note.png
Holiday Photos.png
Data Fallout.png
Disaster Recovery Plan.png
Gary Bernstein
Secure Remote Authentication When employees are working remotely, they need to be able to access company resources and applications just as if they were in the office. This means that remote authentication needs to be ...
Matrix
When sci-fi films like Tom Cruise’s Oblivion depict humans living in the clouds, we imagine that humanity might one day leave our primitive dwellings attached to the ground and ascend to floating castles in the ...
Jim Fagan
Subsea Connectivity Digital transformation and the migration of data and applications to the cloud is a global phenomenon. While we may like to think that the cloud knows no borders, the reality is that geopolitics ...
David Loo
The Long-term Costs of Data Debt It’s no secret that many of today’s enterprises are experiencing an extreme state of data overload. With the rapid adoption of new technologies to accommodate pandemic-induced shifts like remote ...
Dana Gardner
Low-code Development Has Entered a Maturity Spurt Closing the gap between the applications and services a company needs -- and the ones they can actually produce -- has long been a missing keystone for attaining ...
  • Plural Site

    Pluralsite

    Pluralsight provides online courses on popular programming languages and developer tools. Other courses cover fields such as IT security best practices, server infrastructure, and virtualization.

  • Isc2

    ISC2

    (ISC)² provides IT training, certifications, and exams that run online, on your premises, or in classrooms. Self-study resources are available. You can also train groups of 10 or more of your employees. If you want a job in cybersecurity, this is the route to take.

  • App Academy

    App Academy

    Immersive software engineering programs. No experience required. Pay $0 until you're hired. Join an online info session to learn more

  • Cybrary

    Cybrary

    CYBRARY Open source Cyber Security learning. Free for everyone, forever. The world's largest cyber security community. Cybrary provides free IT training and paid IT certificates. Courses for beginners, intermediates, and advanced users are available.