A survey conducted at Black Hat 2015 reveals that endpoint poses the greatest security to threat to cybersecurity, with 90 per cent of respondents stating their organisations would be more secure if Flash was disabled.
Black Hat 2015: State of Security, released by Bromiun Inc. yesterday, also reveals that a large number of businesses find the implementation of patches for “zero-day vulnerabilities” in the software they are using (including Internet browsers and Flash) to be an enormous challenge. While most believed that the recently launched Windows 10 does improve security, a third said these improvements were not sufficient.
Bromium, considered a pioneer in threat isolation technology to prevent breaches relating to data, surveyed more than 100 IT professionals at the annual Black Hat conference held in Nevada earlier this month.
Bromium asked participants:
- To identify the source of the greatest security risks in their organisations
- State whether their organisations would be more secure if Flash was disabled
- If their organisations would be less productive and/or if critical applications were likely to break if Flash was disabled
- How quickly organisations implement patches for zero-day vulnerabilities
- Which industry is most at risk of cyber attacks
- Which industry implements the best security practices
- What they thought about Windows 10 security features
- Whether they were planning to upgrade to Windows 10
The Endpoint Identified as the Greatest Security Risk
The survey found that most participants were cynical though pragmatic, identifying that end users introduce the greatest security risk. A total of 55 per cent selected the endpoint, while 27 per cent said insider threats were the biggest problem. Only 9 per cent said the cloud was the greatest risk, and 9 per cent said networks.
Researchers did not find this surprising, since the human element is an obvious security risk – particularly when people use untrusted networks outside their office or home environment, including coffee shops, hotels, and airports.
This human element not only increases the endpoint risk, but also the risk of cyber attack, largely because typical detection-based security solutions like antivirus simply don’t identify malicious content on the Internet or in emails.
Impact of Flash on Security and Productivity
There is no doubt that IT security professionals are ultra-aware of the security threats Flash poses, with 90 per cent of survey participants stating that their organisation would definitely be more secure if they disabled Flash.
This is in keeping with earlier Bromium Labs report 'Endpoint Exploitation Trends,' that found Flash had been responsible for more “exploits” than any other software during the first half of 2015.
Further, Flash vulnerabilities are currently so overwhelmingly problematic that YouTube has switched from Flash to HTML5; Mozilla has temporarily blocked Flash from Firefox; and the new security chief of Facebook, Alex Stamos has called for Flash to be “killed.”
According to the Black Hat survey report, the reason there are so many Flash exploits is simply because of the popularity of the software, just as Java exploits used to be very common.
The challenge for IT security professionals is that disabling Flash is not always an option they can choose – specially since many operations teams insist that it will make the organisations less productive and even “break” some of their critical applications if it was disabled.
Of those who participated in the survey, 44 per cent said productivity would be adversely affected.
Implementation of Patches to Overcome Security Vulnerabilities
Implementing patches was reported to be a major problem for many of the information security professionals who responded to the survey. Only 10 per cent said they were able to implement patches for “zero-day vulnerabilities” in the first day after patches were released. Considerably more – 50 per cent – could get this done within a week; 22 per cent said it takes a month or more.
The greatest concern was for organisations running vulnerable versions of Flash since they could easily be compromised by exploit kits like the currently popular Angler.
Industries Most at Risk
While most information security professionals felt critical infrastructure in general was at the most risk of cyber attack, when asked to identify which industries were most vulnerable, 30 per cent said financial services. However, ironically, 60 per cent felt that financial services had the best security practices, followed by technology (27 per cent.)
While 12 per cent identified government as being most as risk, 17 per cent named health care, and energy equally. Other industries mentioned included retail and transport, both of which were identified by less than half the respondents.
Reaction to Windows 10
There was mixed reaction to Windows 10, with many professionals (40 per cent) having zero opinion about it. Nevertheless, 23 per cent said security was dramatically improved, while 33 per cent said the improvement was not sufficient. Only 4 per cent said that there was no improvement at all.
Since Windows 10 was released shortly before Black Hat 2015, none of the respondents had upgraded to Windows 10: only about 10 per cent planned to upgrade in the next three months. A large percentage (40) had no plans to upgrade, and 31 per cent said they would wait at least a year before upgrading.
Ultimately, the Bromium survey found that whilst the endpoint is currently considered to be the greatest security risk, the human element is just one element of the risk. The other major vulnerability is software, which is a trend the company continues to research on an ongoing basis.