Henry Seddon, VP EMEA, Duo Security
Henry Seddon, VP EMEA, Duo Security

To gain access to sensitive data, attackers will often target outdated devices with known vulnerabilities. For organisations, this is a growing problem; users logging in may be using unmanaged or personal devices running outdated, unpatched versions of software. In fact, our own recent report examining the “security health” of devices, found that 60 percent of user devices are running old versions of Flash and a quarter of all Windows devices are running outdated, unsupported versions of IE, exposing them to old vulnerabilities.

Adding to the challenge for security teams is that employees are increasingly using their own smartphones, tablets or laptops to access work applications and data from home and other remote working locations, meaning administrators can have limited visibility into devices. Without this visibility into the health of devices, IT administrators are “flying blind” when it comes to endpoint security.

Regular security “health checks” monitoring for vulnerabilities and outdated software on any device used to access an organisation's network would reduce the risk of exposure to security threats targeting old operating systems and reduce the risk of a breach. Here, we examine the threats that outdated systems pose and why gaining visibility into the security health of devices, before granting access to web and cloud applications, is an effective way of further reducing the risk of a malware infection via exploit kits or any other means that leverage vulnerabilities in unpatched systems.

Users and outdated versions

Out-of-date devices are at greater risk of exploitation as they're susceptible to known software vulnerabilities that can allow attackers to compromise them. Flaws found in old versions of operating systems, browsers and plugins like Flash and Java, allow attackers access to, and control of, devices and systems.

Common threats to organisations include the use of exploit kits and phishing attacks. Attackers may use exploit kits to download malware onto a user's computer. These kits are packaged and sold as malicious software as a service to attackers that may not be able to, or need to, code their own exploits. They can be sent via spam or a drive-by download attack. Clicking on the link redirects the user to a malicious website hosting the exploit kit which will then check their computer for which version of Flash is running. If running an outdated version, the computer is susceptible to the Flash vulnerability included in the kit and malware will download onto the system.

The threat is real and evolving: researchers recently found a new campaign leveraging the RIG exploit kit that targets outdated versions of popular applications to distribute the Cerber ransomware. In this instance, the attackers leverage an array of malicious domains to launch drive-by attacks against visitors, trying to exploit flaws in outdated versions of popular applications such as Flash, Internet Explorer or Microsoft Edge.

Ransomware attacks are also known to exploit out of date software on users' devices and are distributed via exploit kits which target website visitors, using vulnerabilities in the browser to install malware on their system. Typically, the malicious code targets browser plugins, like Flash or Java.

Taking responsibility

Even a verified, trusted user may, unwittingly, be running a device with outdated software, leaving them susceptible to vulnerabilities. Attackers know that this can be an organisation's Achilles' heel: they will frequently upload the latest exploits and vulnerabilities into their exploit kits in order to take advantage of the fact that organisations and users are slow to update. Trusting users is therefore not enough.

An organisation must establish trust in all devices accessing its network and should continuously remind its employees to update their devices, as well as implementing automatic “health checks”.

The good news is that organisations can get detailed data on their devices, including the operating system platform, browser versions, and plugin versions, including Flash and Java.

The key is trusted access: mitigating security risks by verifying the identity of users and ensuring the security health of devices before they connect to an organisation's application. Thanks to such approaches, administrators can set policies around the versions needed to grant them access, or the security features (passcodes, screen lock, etc) required on their devices, without disrupting end-users from their normal activities.

The bigger picture is that visibility is key. Outdated software on devices will result in attackers obtaining the keys to the kingdom, gaining access to login credentials, personal details or banking details from which they can steal sensitive data. These are risks that it's just not worth taking. In the same way that we need to trust our users, we need to trust the devices they're using and only grant access once we know they are legitimate and safe.

Contributed by Henry Seddon, VP EMEA, Duo Security

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.