Vulnerabilities Everywhere

And there are a lot of vulnerabilities.

“In 2006 we did a survey of 30 customers of different sizes, from a few hundred workstations to tens of thousands of workstations all around the world,” says Amir Kolter, CEO of security software vendor Promisec. “That was almost 200,000 endpoints.”

According to Kolter, the results were depressing. “All of [the customers] had internal threats,” he says. “The total number of threats was higher than we ever expected.” In addition, the number of companies with a given vulnerability was often much higher than the percentage of computers showing that vulnerability. Thus, says Kolter, while only 4 percent of the total endpoints surveyed had peer-to-peer software installed, 22 percent of the companies surveyed had one or more endpoints with this vulnerability.

While the percentages of computers with problems may seem low, keep in mind that it takes only one vulnerable computer in an organization to compromise the entire network.

Some of what Promisec found were the old vulnerability standbys: versions of Windows without the latest patches, antivirus software that needed signature files updated, and so on. However, some of the endpoint threats Promisec found were less traditional, and less obvious.

Promisec found 10 major areas of problems. Not all the companies had all the problems, but all of them had at least one. In some cases the endpoint threat could be completely eliminated, such as computers without the latest security updates. In others, such as unsecured USB devices, the solution is to control the vulnerability, typically with software-enforced policies.

1. USB Devices
The largest threat in the Promisec study was undocumented or unsecured USB devices. About 13 percent of the surveyed endpoints had them.

This isn’t just a theoretical concern. A 2005 Yankee Group survey found that 37 percent of the companies surveyed believed USB devices were used to compromise corporate information.

The source of the infection doesn’t have to be an employee. A visitor, invited or otherwise, who gets access to a company computer can easily plug in a thumb drive. More elaborately, a computer security firm gained national attention in 2006 by loading 20 USB drives with password-stealing malware and scattering them in the parking lot and other likely locations outside a target company. Fifteen of the drives were found by employees, who plugged them in to see what was on them; in a matter of hours, the security company was getting a stream of passwords and other critical data. (The security firm was Secure Network Technologies. It was testing security at a client, and the incident was reported in a number of places, including June 7, 2006 on the Dark Reading website.)