Why ignoring endpoint security can spell trouble for even highly secure servers.
In December 2000, there were an estimated 370 million internet users. By June 2014, this number increased to over 3 billion(1), an astounding growth of 741%. Each of these users need an endpoint to connect to the internet. An endpoint is simply any device connected to a network. So in your organization, it could be a laptop or a mobile phone an employee used to access your corporate network.
The ‘Internet of Things’ and the threat landscape
The internet is probably the number one way through which endpoints are being infected with malware today. According to a recent report by Websense(2), ‘The Internet of Things’ will change the security landscape significantly. Every internet connected device increases the number of attack surfaces significantly. What this means for enterprises is that every new employee’s internet connected device, app and upgrade is a potential threat vector.
Here’s where drive-by downloads come in; they are one of the main sources for endpoint exploits. Drive-by downloads use exploit kits to deliver malware in a very efficient manner. Most of the time, it takes only a few seconds and it happens without any interaction with the end-user. The principle of the drive-by download is simple; cyber criminals corrupt and infect trusted sites that we access on a regular basis through our computers, laptops and smart phones. It could be news sites, e-commerce sites and even social media accounts.
Exploit kits: A weapon of choice
By merely viewing the corrupted website, your browser, media player or flash plugin is interacting with the site and the code is transferred. If the applications in your network are not fully patched, your endpoint could be infected within seconds. This happens through exploit kits which assess and deliver an exploit that matches the unpatched version of operating system or application.
Attention seeking hacktivist groups are not the main threat (though they disrupt services and companies can lose thousands of dollars because of IT security breaches). Stealthy cyber criminals, who use stolen information for personal or corporate financial gains are a bigger threat because identifying a threat and the occurrence of an attack is an important prerequisite for staying secure. These cyber criminals do not want you to know that they have attacked your network, so they use multiple techniques to disguise their activities during or after a breach. Cyber criminals do not discriminate between their potential victims and their weapon of choice is often exploit kits — sophisticated, reliable, inexpensive and non-discriminating exploiting kits that deliver malicious code to millions of endpoints, private and corporate alike.
Exploit kits and automated malware have been available for rent or purchase on the black market for years. Over the past 6 years, since 2009, exploit kits have become more efficient and easy to use. Knowledge of scripting is no longer necessary to exploit unpatched operating systems or applications. One can simply purchase an exploit kit on the black market for as little as $29 for a starter kit and, as is rumoured, for upwards of $12,000 for a more robust system. Catalogue subscriptions for exploits can vary from $300/year to $10 000 – with a money back guarantee. Things get more unbelievable with payment plans available for rentals or SLA upgrades with 24-hour customer support! Some of the popular exploit kits are Neutrino, Magnitude and Redkit which have built on the innovations of the Blackhole technology. (4)
Endpoint security and third party applications
There is no silver bullet for endpoint security. Each device with a remote connection to the network is a potential entry point for security threats. What endpoint security does is it protects your network when it is accessed using remote devices such as laptops and mobiles.
Hackers take advantage of vulnerabilities in old code to target new applications (2) and vulnerabilities in installed applications and operating systems are a component underestimated by organizations and exploited by hackers. Traditionally, Microsoft was one of the focus areas for hackers, both at the application and operating system level. With Microsoft improving their code and its product security, cyber-criminals have been focusing their attention on non-Microsoft application vulnerabilities for years. Worryingly, enterprise security still has not.
Non-Microsoft applications installed on endpoints are threatening the network security of a number of organizations. Third-party or non-Microsoft applications account for a vast majority of vulnerabilities on your network. As per our Vulnerability Review, 3/4 of vulnerabilities on private computers come from non-Microsoft applications with the remaining 1/4 divided between Microsoft applications and operating systems – the share will be larger in most corporate environments.
In a sample of the 200 most prevalent programs, an average of 75 programs had vulnerabilities with the Secunia classification of ‘extremely critical’ or ‘highly critical’, in any given year, over a 5-year period. In some years, 89% of these 75 programs changed their vulnerability state from being ‘highly critical’ to ‘less critical’ or ‘no vulnerabilities’ and vice versa. This pattern represents an average year-on-year change of 27%. What this means is that it is impossible to accurately predict which applications to focus on in any given year.
One common misconception is that non-Microsoft applications are irrelevant for business critical data stored on a highly secure server. Many organisations believe they are secure, having focussed their security efforts on their servers and other areas which are deemed business critical. However, the fact is that endpoints are connected and that even the endpoint that is in itself not connected to critical systems is connected to endpoints that can access business critical data. This could be through a CRM application run on a browser or a document application such as PDF. If the endpoint is compromised, so is the system. Encrypting data is irrelevant if hackers can access the application used to read the data.
Manage your patches
The good news is there is a way to protect endpoints. In the Secunia Vulnerability Review, we found that 83% of the vulnerabilities disclosed in 2014 had a patch on the day of disclosure. What this means is that you can patch most vulnerabilities. The trick is to know what to patch and that’s where patch management has an important role to play in your IT security strategy.
1): Internet World Stats
2): Websense 2015 Security Predications Report
3): Websense 2014 Threat Report
4): Sophos Security Threat Report 2014
5): Secunia Vulnerability Review 2014
6): Secunia report: How to secure a moving target
7): Secunia Research