About 39% of commercial companies in the past two years have experienced information security incidents generated by vulnerabilities in legitimate software. This data is presented in the survey “Global Corporate IT Security Risks: 2013” by Kaspersky Lab and B2B International.
“There is no software without flaws” – the representatives of Microsoft used to respond to their critics. Unfortunately, this statement is hardly disputable. Of course, in the last decade the developer of Windows and Office has greatly improved the security of its products, but attackers still exist. In recent years, the main causes of any problems for individual and corporate users have become vulnerabilities in software like Oracle Java, Adobe Flash and Adobe Acrobat. These applications are widely used in corporate networks while attackers actively write exploits for the vulnerabilities in such programs.
Certainly, vulnerabilities in enterprise software are not the only source of problems. However, as the above study shows, the respondents mentioned them more often than other causes.
There is good news though. Over the past two years the number of such incidents has declined, but quite insignificantly. While in 2011 the vulnerabilities in enterprise software were reported as the main source of problems by 47% of respondents, only 39% still agree. Most of such incidents appear to happen in Russia (about 51% of the respondents). All in all, 25% of the respondents suffered critical corporate data leaks because of vulnerabilities in enterprise software, 10% of the respondents confirmed serious financial losses as a result.
This is the price of vulnerabilities in legitimate software in the absence of additional protection.
Another aspect related to enterprise software is worth mentioning. Many if not most large companies use their own software. Depending on the expertise of programmers such software may vary in its quality, thereby the number of potential vulnerabilities. And while these programs are unlikely to receive any distribution outside the company where they were developed, the presence of vulnerabilities implies at least the possibility that hackers will try to use them, especially if the attack is targeted.
There is another interesting fact. To some extent the “self-made” enterprise software provided a long life and a wide usage of Microsoft Windows XP. As of December 2013, this hopelessly outdated OS still had a significant market share of 28.98%, and Microsoft is going to terminate its support in April 2014. A lot of enterprise software is written under Windows XP and may not work under later versions of Windows, urging many companies to hold on to XP as long as possible.
The prevalence of Windows XP is a problem for information security. This operating system possesses none of the information protection mechanisms implemented in later versions of Windows. At the same time, the number of malicious programs exploiting known vulnerabilities in XP defies account. Accordingly, both corporate and individual Windows XP users literally expose themselves to that malware and the situation affects the global landscape of IT threats.
It is software developers who are mainly responsible for security or, conversely, the vulnerability of programs, not users. However, all users should have in place some protection measures knowing that the software used is not flawless. Again, additional protective tools are necessary since we live in an era of insecure software.
Information security is provided by Kaspersky Lab’s solutions. The first is the Automatic Exploit Prevention technology, which protects against both old and new threats (zero day vulnerabilities and their exploits may still be found for Windows XP). The main feature of AEP is that it constantly monitors the behavior of vulnerable software and thwarts all attempts at launching suspicious codes.
AEP also enables the Forced Address Space Layout Randomization mode for some programs and program modules. Similar technology is used in Windows since Vista – there is no such feature implemented in Windows XP. AEP allows enabling this mode for any programs. This technology changes the memory location address of vulnerabilities, so that exploits would not find and use them.
Moreover, features like System Management allow you to automate the installation process of recently released patches and updates for software to narrow down “hackers’ windows of opportunity” to a minimum. The “hackers’ windows of opportunity” are periods between the detection of a vulnerability, the release of the patch for it and the actual installation of the update.