CISOs are worried by BYOD – Bring Your Own Device, it is suggested: Maria Eriksen-Jensen, pictured, VP of Business Development and Marketing, Secunia takes a look at how vulnerable the private PCs we love to bring to work are.
The BYOD – Bring Your Own Device – trend is on the increase. A recent study of 600 US IT and business leaders by Cisco found that as much as 95 per cent of the organizations allow employee-owned devices in the work-place in some shape or form. According to the study, “by 2014, the average number of connected devices per knowledge worker will reach 3.3, up from an average of 2.8 in 2012.” (*1)
While the benefits are many to both employers and employees – the mutual flexibility and accessibility, to name the obvious ones – BYOD is a double-edged sword: there are substantial security concerns involved in this merge of the private and the professional spheres.
The respondents in the study cited security/ privacy of company data as the top challenge of BYOD. And they are quite right to be worried.
As Gartner points out in a recent report, employee-owned devices are unmanaged, and their security state is essentially unknown: “When these devices are used to access corporate data and applications, there is the risk of attacks that exploit vulnerabilities that are present on the devices. (…). Another major soft spot is the user. Employees are subject to phishing attacks or social engineering and may give up credentials that are used to access applications. This bypasses much of the shielding that is in place and provides an unimpeded path to critical data.” (*2)
A glimpse at how secure those ‘Own Devices’ are:
The security state of employee-owned devices is not, however, completely unknown. Secunia’s software analysis gives us an indication of the state of security on the PCs of private users. Secunia’s data is derived from the 6.1 million private users worldwide using the Secunia PSI (Personal Software Inspector), and includes data on the share of vulnerable software found on private PCs.
The PSI data tells us that three of the most popular programs on private PCs in the UK remain unpatched on one third of the PCs – even though they are vulnerable, and even though patches are available:
•There are 58 vulnerabilities in Sun Java 6 – 63% of PC users in the UK have it installed on their PCs, and 57% of those haven’t patched it.
•There are 26 vulnerabilities in Apple QuickTime 7 – 56% of PC users in the UK have it installed on their PCs, and 49% of those haven’t patched it.
•There are 71 vulnerabilities in Adobe Flash Player 11 – 87% of PC users in the UK have it installed on their PCs, and 24% of those haven’t patched it.
The combination of private users who do not update their software AND the proportion of the workforce bringing their own device to work is a dangerous cocktail. And the Cisco study (*1) indicates that it doesn’t stop at the device – employees also want to bring their own applications to work – especially social networks, cloud-based email, and instant messaging. Essentially, the digital behaviour employees adopt in their personal lives, with the IT security risks it involves, is now brought into contact with the corporate IT infrastructure.
The fact that so many users are not updating the software on their private PC clearly demonstrates the headache the BYOD trend presents to IT teams: With so many variables – the number of programs on the number of devices managed by a number of individuals – patching is not something that can easily be controlled manually. Because how will an IT team know what to patch?
What should you do about it?
To protect endpoints that are connected to the corporate IT infrastructure from vulnerabilities, it is necessary to know about, prioritise and patch the vulnerable software. This is supported by Gartner, who predicts that “Through 2015, 80% of successful attacks will exploit well-known vulnerabilities and be detectable via security monitoring”. (*2)
A patch remediates the root cause of the problem, and thereby neutralises a large number of attack vectors (*3). This is done by applying the patches issued as security updates by software vendors, and while most corporations with IT teams on board can be expected to have a patch strategy (of varying degrees of efficiency, of course) patch management routines and resources is not something we should expect from end users or smaller businesses.
Why? Because it takes too much time and is far too complicated a task: people do not consider updating their software for security reasons a priority (surprisingly, they have more interesting things to spend their time on!) and many people believe that updating their Microsoft programs is sufficient. The problem is that on average, a private PC in the UK has 72 programs on it – only 27 of those are from Microsoft, and 45 are from third-party vendors. Third-party software is where 78% of all vulnerabilities are found.
One major reason why private users and small businesses find it cumbersome to patch vulnerabilities is the number of update mechanisms it is necessary to master to stay secure.
While Microsoft issues automatic updates to their programs, we know from the Secunia database that this will only cover 34% of the programs installed on the average UK PC: 66% of the programs on an average UK PC are from third-party vendors, who have their own update mechanisms. This means that the average UK user has to master 23 different update mechanisms to patch the software on their PC – and not only master the update mechanism, but actually perform the updates on an on-going basis, to keep their PCs secure from vulnerabilities.
The endpoint threat to corporate security
Endpoint security – or lack of it – is among the biggest security threats to corporate security. And vulnerable software on these endpoints is one of the most popular attack vector with hackers – an attack vector that is likely to become more and more used.
Essentially, business and private endpoints are very rewarding targets for cybercriminals (*3):
•Endpoints are very difficult to secure
End-points are extremely dynamic environments with numerous programs and plug-ins installed. Paired with unpredictable usage patterns, this makes them formidable targets that are difficult to defend.
•Endpoints are valuable
End-points are where the most valuable data is found to be the least protected. By definition, end-points have access to all data needed to conduct an organisation’s business.
•Everyone is a target
Every end-point represents a valuable target for cybercriminals, even if no sensitive data is present. The end-points computing power and bandwidth provide valuable resources, for example as an infection point, proxy, or for distributed password cracking services.
The bottom line:
It is highly relevant for CISOs to be aware of the developments and interdependencies in the three areas: The BYOD trend, endpoint security and the presence of vulnerable software on end user PCs, because endpoints are attractive targets for cybercriminals and endpoints are becoming more difficult to manage due to the BYOD trend. Thus, corporations must be prepared for greater exposure to threats and attacks.
Notes
From January 2013, parts of the PSI data will be published in the form of Country Reports on Secunia’s website.
About Secunia
Founded in 2002, Secunia is based in Copenhagen, and is a provider of IT security. For more information, visit secunia.com
(*1.): Cisco: IBSG Horizons Study, 2012
(*2).Gartner: ”Adapting Vulnerability Management to Advanced Threats”, April 2012,
(*3) Secunia: How to Secure a Moving Target with Limited Resources, 2011.
