A recent BitSight study of more than 35,000 companies worldwide found that more than 25 percent of the computers used in the government sector were running outdated Mac or Windows operating systems, and over 25 percent were running outdated versions of Web browsers.
Almost 80 percent of those outdated systems ran MacOS. A month after each MacOS update is released, the study found, over 35 percent of companies still haven’t upgraded to the latest version.
Finance, healthcare and retail aren’t faring much better, with approximately 15 percent of operating systems and browsers out of date in each of those industries.
Over 2,000 of the organizations surveyed run more than half of their computers on outdated versions of an operating system, which BitSight says makes them almost three times as likely to experience a publicly disclosed breach.
Similarly, over 8,500 organizations have more than 50 percent of their computers running an outdated version of an Internet browser, doubling their chances of experiencing a publicly disclosed breach.
Older Versions of Windows
In March of 2017, two months prior to the WannaCry ransomware attack, almost 20 percent of all Windows computers examined by BitSight were using Windows Vista or XP, both of which are no longer officially supported by Microsoft.
“The WannaCry attack brought to light the threat posed by outdated systems on corporate networks,” BitSight CTO and co-founder Stephen Boyer said in a statement. “Our researchers found that thousands of companies across every industry are using endpoints with outdated operating systems and browsers.”
“Research and analysis of organizational endpoint configuration and vulnerabilities suggests that unless companies begin to take a proactive approach to updating their systems, we may see larger attacks in the future,” Boyer added. “Endpoint information can serve as a key metric for executives, board members, insurers, and security and risk teams to understand and mitigate the risks of their insureds or their vendors.”
According to Risk Based Security’s Vulnerability QuickView report for Q1 2017, 4,837 unique vulnerabilities were reported in the first quarter of the year, a 29.2 percent increase over the same period in 2016.
Over 50 percent of the vulnerabilities were remotely exploitable, and over 35 percent had public exploits or sufficient details available to exploit. Still, 47 percent didn’t have CVEs assigned and therefore weren’t available in the National Vulnerability Database (NVD).
Searching for Vulnerabilities
“It is clear that relying solely on CVE/NVD or similar sources is not a viable solution as about half of the vulnerabilities will be missed,” Risk Based Security chief research oficer Carsten Eiram said in a statement.
“The lack of vulnerability coverage from freely available or U.S. funded government projects forces companies to make a decision: run the risk of using incomplete vulnerability information, spend significant resources tracking vulnerabilities internally, or seek a vulnerability intelligence feed from a reliable service,” Eiram added.
A separate Recorded Future study recently found that 75 percent of all vulnerabilities are released online prior to publication in the NVD — 25 percent are available online at least 50 days preior to NVD release, and 10 percent have gaps of more than 170 days.
“Adversaries aren’t waiting for NVD release and preliminary CVSS scores to plan their attacks,” Recorded Future chief analytic officer Bill Ladd wrote in a blog post. “The race typically starts with the first security publication of a vulnerability. This propels activity in the adversary community and from that point, the race is between those developing and deploying the patches or the exploits.”
And while vulnerability management teams need to defend against all possible exploits, Ladd noted, cybercriminals only need to get one exploit through an organization’s defenses to cause damage.