By Stefan Frei
The Secunia Yearly Report 2011 analyses the evolution of software security from a global, industry, enterprise, and end-point perspective. We present data on vulnerability, exploit, and patch availability and correlate this information with the market share of programs to evaluate the true threats. By doing so, we address the main challenges that organisation's face when protecting their software portfolios and, therefore, formulate a strategy to optimise limited security resources in light of the current dynamic threat environment.
The report underlines what we like to call the known/unknown challenge - the great divide between what programs you think you have installed and what you actually have installed, and what you then choose to patch. For instance, the programs that an organisation perceives as top priorities to patch vs. the programs that cybercriminals actually target are often vastly different. A typical corporate infrastructure contains layers of programs that organisations a) consider business-critical, b) know about, and c) don't know about. Many organisations will focus on patching the top layer - business-critical programs - only. However, cybercriminals will target all programs.
Importantly, our research concludes that rare programs can also be targets. Indeed, it's not just the usual suspects anymore - uncommon programs can also be exposed to cybercriminal attacks. Analysing the market share vs. exploit availability demonstrates that all programs are at risk.
In order to tell the story behind these conclusions, I am pleased to share with you some other highlights of the report.
- Vulnerabilities are resilient!
Despite the number of vulnerabilities decreasing in 2011 in general, the five-year trend identified that none of the Top-20 producers of software (commercial or open source) managed to decrease the number of vulnerabilities in their products.
- End-points are top targets
End-points are where the most valuable data (business-critical data, personal information, etc.) is found to be the least protected. Because end-points are dynamic environments with unpredictable usage patterns, they are difficult to secure and defend.
- The trend in end-point vulnerabilities continues
The number of end-point vulnerabilities continues to increase. For over 800 vulnerabilities, more than 50% were rated as either ‘Highly' or ‘Extremely critical' and were exploitable from remote. Billions of potential targets - all Internet users - are therefore at risk.
- Microsoft programs are no longer the main targets
Third-party programs are almost exclusively responsible for this growing trend in end-point vulnerabilities. The share of third-party vulnerabilities on a typical end-point increased from 45% in 2006 to 78% in 2011. In fact, 78% of the vulnerabilities in 2011 affected third-party programs, far outnumbering the 12% of vulnerabilities in the operating system or the 10% of vulnerabilities in Microsoft programs.
- Complexity is the worst enemy of security
The Top-50 software portfolio installed on a typical end-point comprises programs from 12 different vendors (28 Microsoft programs and 22 third-party programs). It therefore involves 12 different update mechanisms to keep a typical end-point secure (1 ‘Microsoft update and 11 additional update mechanisms). This complexity to stay secure has a measurable effect on the security level found in the field.
- A static approach is a failed, outdated approach
For an organisation with over 600 programs installed in their network, more than 50% of the programs that are vulnerable in one year will not be vulnerable the next year, and vice versa. Therefore, identification of all installed programs and an agile, dynamic patching strategy is the key to knowing the risks faced and successfully tackling vulnerabilities.
The good news is that we can all take back control. 72% of vulnerabilities had patches available on the day of disclosure; therefore the power to patch end-points is in the hands of all end-users and organisations.
To download the Secunia Yearly Report 2011, click here.
Read the official press release here.
Research Analyst Director