Security firm Sophos ran a 40-day test of visiting computers from corporate users, and the results aren’t pretty. Four in five of the machines checked were lacking in at least one area of security.
The Sophos Endpoint Assessment Test scans were voluntary and only applied to people visiting from a corporate site, as Sophos’ specialty is business protection, not consumer security. The scan covered three areas: current patch levels, firewalls and up-to-date security software.
They found 81 percent of the 580 computers checked were lacking some key security component; either they didn’t have all of the patches issued by Microsoft, the firewall was disabled, or the antivirus software was out of date or disabled.
The tests found that 63 percent of tested systems were missing at least one Microsoft security patch from Windows, Office, Internet Explorer, Windows Media Player or Adobe’s Flash Player. Meanwhile, 51 percent of endpoints tested had disabled client firewalls and 15 percent had out-of-date or disabled endpoint security software, like an antivirus client.
Sophos then checked with the firms to find out what the story was behind said security failings. The company found people tend to be rather dependent on their software and tools, when the software can’t know everything.
“Some times these tools don’t know what they don’t know,” Bill Emerick, vice president of product management for Network Access Control at Sophos, told InternetNews.com. “I do believe that IT organizations are well-intended and trying to make the right investments. I think in some cases our toolsets are failing us and we have more work ahead of us.”
For example, the survey found most people are relying on Windows Update, which comes with Windows software, but it only checks for Windows patches. To check for fixes to Microsoft Office or other applications, users need Microsoft Update, which is a separate download from Microsoft.
Microsoft did not respond to a query from InternetNews.com to comment on the survey’s findings as of press time.
Exploiting vulnerabilities
The risk for end users is that when Microsoft issues its monthly patches on “Patch Tuesday,” the second Tuesday of the month, malware writers examine the fixes, which points them right at the vulnerabilities. They then write malware to exploit the vulnerabilities that Microsoft has pointed out, hoping to snare people who were slow to patch.
It’s easy to miss a patch from Microsoft. Emerick estimates there are between 600 and 700 total fixes from the company. A common claim is that people don’t patch because their company is concerned it might break applications, but Sophos said that concern is overrated. The more common reason is people just plain forget to do so.
Other reasons for the poor showing: some end users may decline the updates until a later time and then forget to update it later; others disable firewalls on their PCs because they figure the corporate firewall is enough; antivirus end users often make the same assumptions and disable their PC’s security, thinking corporate security is enough.
“There is no single answer to why people failed the check,” said Emerik. “It falls under the category of stuff happens. Some of it is based on company practice but often that is not the issue.”
The data was gathered from corporate endpoints across all geographies. North America represented 39 percent of the sample base, while the UK made up 36 percent, and Australia and Germany were 11 percent and 9 percent respectively, with the remaining five percent covering a variety of countries.