Risk rater endpoint report
Upcoming SlideShare
Loading in...5

Like this? Share it with your network


Risk rater endpoint report






Total Views
Views on SlideShare
Embed Views



4 Embeds 71

http://911-center.blogspot.com 31
http://sitebuilder.atservers.net 20
http://912.by 11
http://911-center.blogspot.ru 9



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Risk rater endpoint report Document Transcript

  • 1. © Copyright Rapid7 2013 Phone: 617.247.1717 www.rapid7.com Key Findings 96% have antivirus enabled on employee machines 17% may not be regularly patching You’re Only as Strong as Your Weakest Link: Securing the Endpoint Endpoint Risk According to the 2013 Verizon Data Breach Investigations Report, 71% of attacks and breaches in 2012 involved compromised end-user devices, more than any other asset category. Desktops (25%) and laptops (22%) were among the top five most breached end-user devices that year. In 2008, end-user devices only made up 17% of attacks and breaches. In comparison, attacks involving compromised servers declined from 94% in 2008 to 54% in 2012, indicating that hackers are increasingly targeting endpoints as the weakest link. Endpoints are targeted through a variety of methods, several of which stand out as favorites for attackers. Web attacks are on the rise, especially those that redirect a victim’s browser to a site with malicious code, according to the latest Microsoft Security Intelligence Report. These types of attacks account for seven of the 10 top threats encountered by corporate users. A report from Bit9 stated that Java “is the most targeted endpoint technology for cyber attacks” with the average organization having more than 50 versions of Java installed across all of its endpoints and less than one percent have the latest software version. This is an issue since reports show that 94% of endpoints that run Oracle's Java are vulnerable to at least one exploit. Part of the challenge of securing endpoints is gaining visibility into what’s running on them. In a recent ESG survey of 315 security professionals at enterprise organizations, “30% of respondents were unsure about applications installed on each device” and “19% were unable to monitor downloads and execution of malicious code.” Rapid7, a leading provider of IT security analytics and management software and cloud solutions, recently surveyed IT professionals about the use of security protocols commonly deployed to protect against endpoint attacks. Building A Solid Defense Rapid7 found that 96% of respondents have an antivirus tool enabled on employee machines, a first step in protection from outside threats. That being said, organizations need to understand that antivirus software has its limitations. Many vendors claim that they now process well over 100,000 malware samples per day. At that rate, it is difficult to stay up to date, and despite the high volume of malware samples, some malware will slip through undetected. In fact, according to Forrester, a signature-based antivirus product “only catches about 20-30% of the malware that comes into an organization.” Because of this, there are examples of exploits in the wild that are consistently not flagged and stopped by antivirus software, as was the case with Flame, a piece of malware that infected systems in Iran and other countries, and was not detected by antivirus software before it was widely publicized.
  • 2. © Copyright Rapid7 2013 Phone: 617.247.1717 www.rapid7.com Are the machines in your organization updated with the latest operating system patches? Yes 501 No 80 Don't Know 27 82% 13% 4% 0 100 200 300 400 500 600 NumberofRespondents Antivirus software is not able to stop all malware, so it becomes even more critical to ensure that operating systems and applications remain up to date. Patching is an effective way to increase security protection against attacks. Cybercriminals often use known exploits in an attempt to hack into systems that have not been patched, including an incident in June of this year, when key government agencies in South Korea were attacked using flaws that were previously patched by vendors. While most understand the risk, many organizations find the task of keeping endpoints up to date difficult due to complex IT environments, the increase of out-of-band patching from vendors, and the sheer volume of in-band patches released. For example, in 2012 Microsoft alone released 83 patch bulletins and released 48 revised bulletins, patching more than 100 vulnerabilities. Rapid7 found that 17% of respondents have not, or are not sure if they have, updated machines in their organization with the latest operation system patches, a baseline step in keeping systems up to date to reduce an organization’s susceptibility to attack. Automated patch and configuration management tools are available to make these tasks easier. Do the machines in your organization have antivirus tools enabled? Yes 583 No 19 Don't Know 6 96% 3% 1% 0 100 200 300 400 500 600 700 NumberofRespondents
  • 3. © Copyright Rapid7 2013 Phone: 617.247.1717 www.rapid7.com Key Findings 90% block suspicious attachments 54% may not control or prevent code execution on endpoints 78% allow both attachment and code execution 81% require users to have passwords that expire Reducing the Attack Surface It’s been well documented that hackers use email attachments as a way to gain access into the network. In 2011, RSA’s SecurID® token technology was hacked due to an email attachment. While the hack itself wasn’t sophisticated, the attackers sent a series of spear phishing emails with a cleverly-written subject line, which was enough to interest one employee in clicking on the attachment. RSA is clearly not alone in this: the Verizon Data Breach Investigation Report shows that email continues to be one of the top two highest attack methods. For example, recent drive-by spam attacks automatically download malware even without the user opening an attachment. Microsoft announced that it detected and removed malicious documents such as Adobe Acrobat (PDFs) and Word documents, commonly sent as attachments through e-mail, from almost 3 million systems in the fourth quarter of 2012. With this study, Rapid7 found that 90% of respondents have configured their email system to block suspicious attachments and 10% have not or do not know whether their email system blocks suspicious attachments. It’s important that organizations continue to enforce policies that block email attachments since only around half of organizations are preventing malicious code execution. Data Execution Prevention (DEP), Structured Exception Handling Overwrite Protection (SEHOP), Address Space Layout Randomization (ASLR), and Return-oriented programming (ROP), are all examples of mitigations that help prevent code execution, limiting the potential damage from viruses and other security threats that attack by running Does your email system (either server or clients) block suspicious attachments? Yes 545 No 43 Don't Know 20 90% 7% 3% 0 100 200 300 400 500 600 NumberofRespondents
  • 4. © Copyright Rapid7 2013 Phone: 617.247.1717 www.rapid7.com malicious code from memory locations that only Windows and other programs should use. Yet, 54% of respondents either do not or do not know if they have code execution prevention controls enabled on their users’ machines. Compounding this problem is that 78% of the respondents who do not block suspicious email attachments also do not enable code execution prevention, significantly increasing their risk of a serious breach. As these statistics highlight, more needs to be done to educate the industry about the preventive techniques in Microsoft’s Enhanced Mitigation Experience Toolkit and equivalents available for OSX and Linux operating systems. These techniques will never stop exploitation completely, but every security professional should know what they are and deploy them broadly across the organization. According to the SANS Institute password policy recommendations, all system-level passwords must be changed on at least a quarterly basis. In addition, all user-level passwords must be changed at least every six months. The group recommends that security departments within organizations perform password cracking or guessing on a periodic or random basis. Even with these recommendations, password protection remains a challenge. According to the Verizon Data Breach report, 76% of network intrusions reported in 2012 exploited weak or stolen credentials. While the debate about the effectiveness of strong passwords continues, there is no question that all organizations should require users to have strong passwords that expire periodically and follow the suggestions of the SANS Institute. Unfortunately, not every organization complies. Rapid7 found that 81% of respondents require their users to have passwords that expire, which means nearly 20% didn’t have that requirement or didn’t know if that requirement existed. Are code execution prevention techniques (DEP, ASLR) enabled on the machines in your organization? Yes 280 No 184 Don't Know 144 46% 30% 24% 0 50 100 150 200 250 300 NumberofRespondents
  • 5. © Copyright Rapid7 2013 Phone: 617.247.1717 www.rapid7.com Conclusions and Recommendations Organizations are consistently battling threats from malware and exposure to risk through third-party applications like Java, Microsoft Office, Adobe Flash and Adobe Reader, as well as malicious or hijacked websites. Given the presence and role of endpoints in an organization, user devices will continue to be the first point of attack used by many cybercriminals. While many organizations have deployed endpoint security software to provide a first layer of defense, not all are adopting policies and procedures that will decrease the risk of penetrating an endpoint and entering a corporate network. Rapid7 recommends that organizations create and deploy endpoint security policies that include: Always install and update antivirus software on all devices. Develop a patching policy and procedure, prioritizing patching vulnerabilities that pose the largest threat. Ensure strong passwords are consistently changed and security departments test those passwords on a regular basis. Educate users on the risk of email attachments and enforce policies that block suspicious email. Understand code execution prevention techniques and deploy them across the organization. Please note: percentage numbers have been rounded so totals may not add to 100 in some cases. Are users required to have strong passwords that expire periodically? Yes 494 No 100 Don't Know 14 81% 16% 2% 0 100 200 300 400 500 600 NumberofRespondents