Think you have a true picture from a Windows security scan of the status of enterprise desktops? Better think again. Practically every desktop I come across that's assumed to be "hardened" and "compliant" has numerous security holes -- many of which can be exploited with free and simple-to-use tools. I'm not finding these flaws because I have some magic formula for Windows security. Many organizations just don't use good tools or know where to look.
The 2013 Trustwave Global Security Report found that 61% of client-side attacks targeted Adobe Reader users via malicious PDFs. Yet third-party patches are often overlooked. The Ponemon Institute's 2013 State of the Endpoint study found that the lack of enforceable, centralized cloud security policies is putting unstructured confidential information at risk -- something I've been seeing as a problem for years.
Even full disk encryption -- a technology that has been around for years -- is not being used the way it should be. I can say with near-100% certainty that these weaknesses would never be uncovered in the hurried desktop vulnerability scans being run in many enterprises today. It's these very Microsoft security scans that many people are depending on to determine their levels of desktop risk -- a critical oversight to say the least.
Here are the major concerns I have with people relying on traditional vulnerability scans:
- Windows security scans are often performed with free tools that don't inspect the systems deeply enough. Many people running the scans have no real idea what the results mean. Perhaps worst of all, scans are often run and shipped off never to be seen again. There's no real follow-through.
- Scans often do not paint the proper picture, especially if they're run without administrator-level authentication. Finding missing patches and weak configurations is great. But just because a vulnerability doesn't come up when scanning a desktop across the network without logging in doesn't mean it's not there. There could be something big lurking behind the Windows login prompt that can be just as easily exploited.
- Password weaknesses are often ignored, yet they're one of the greatest weaknesses documented in the industry reports every year. Even when password checks are performed, not all weak passwords will be found, especially if a more limited dictionary crack is performed.
- IT administrators should also be concerned with things that scans can't uncover, including the use of Wi-Fi, privacy screens and laptop locks. For example, just because antivirus software is present doesn't mean it's configured properly, is getting updated or can't be disabled by users.
Underscoring these problems was Trustwave's finding that the average time from an initial security breach to actual detection was 210 days. In other words, on average, there's over six months' worth of exploitation before criminal activity is found inside the house! The Ponemon study also found that confidence in network security is declining: Nearly half (46%) of respondents do not believe their desktops are more secure now than they were a year ago.
There are a lot of moving parts, and there's not a simple fix for Windows security. That said you can do something about it. Understand the common flaws that are being exploited. Focus on control and visibility. Run Microsoft security scans with authentication, and don't underestimate the value of manual analysis. Capitalize on the features in higher-end Windows security testing and monitoring tools.
You're not going to find or fix all of your desktop security challenges, but you can find and fix most of them. Change your approach, and you can take your vulnerability management to the next level.
This was first published in May 2013