What is the source of the greatest security risk facing companies and individuals today? A recent survey suggests that it’s those gadgets and various screens with which we spend an inordinate amount of time—followed by one main software piece: Adobe Flash.
Bromium research shows that 55% of security professionals believe the endpoint to be the weakest link in the cyber-safety chain, with vulnerable software contributing greatly to that. Flash in particular is a problem: The Bromium study shows it has been responsible for more exploits than any other popular software in the first six months of 2015. So it’s no surprise that a whopping 90% of information security professionals believe their organization would be more secure if it disabled the plug-in.
Several prominent security professionals and researchers have called for the public execution of Flash and its permanent removal from all web browsers. Mozilla recently temporarily blocked Flash from Firefox, YouTube has switched to HTML5 and Facebook has called for the end of Flash.
The reason that so many Flash exploits exist is because Flash is so popular (it was only a few years ago that Java exploits were so common for the same reason). But, “these vulnerabilities are completely preventable in 2015,” said Easy Solutions, in a blog. “Flash itself has been under assault by the security community for years, due to its unique ability to be both permanently vulnerable to attack, grant attackers elevated privilege and still be considered fairly ubiquitous.”
It added, “As proven by Apple after the initial release of the iPhone, it is possible to use the Web without Flash and Flash’s popularity has steadily been on the decline.”
However, the problem for information security teams is that disabling Flash is not always an option. The Bromium survey uncovered that 41% of organizations would become less productive or “break” critical applications if they disabled Flash. Ironically, one Black Hat attendee relayed an anecdote that the only application in his organization that required Flash was its security awareness training videos.
The struggle to disable Flash is a frequent dilemma for information security professionals who must find alternatives to address zero-day vulnerabilities. One best practice is to urgently implement patches, but even that can be a challenge.
Bromium found that the majority of information security professionals implement patches for zero-day vulnerabilities in applications such as Flash, Java and Internet browsers as soon as they are available; 10% in the first day and an additional 50% in the first week. But that said, 22% of information security professionals take more than a month to patch zero-day vulnerabilities.
“If an organization is running a vulnerable version of Flash, then it can be compromised by the majority of popular exploit kits, such as Angler,” the report noted. “Once again, this demonstrates the tension between security and operations since security teams may be limited in their ability to implement zero-day patches.”
It’s not just Flash and other zero-days that pose a risk to endpoints, of course. More than a quarter (27%) said that insider threats introduce the most risk.
And of course, endpoints aren’t the only thing out there to protect. About 9% selected the network and 9% selected the cloud as being the main vector to compromise.