Massive complexity endangers enterprise endpoint environments

There’s a massive amount of complexity plaguing today’s enterprise endpoint environments. The number of agents piling up on enterprise endpoint devices – up on average – is hindering IT and security’s ability to maintain foundational security hygiene practices, such as patching critical vulnerabilities, which may actually weaken endpoint security defenses, Absolute reveals.

enterprise endpoint environments

Also, critical endpoint controls like encryption and antivirus agents, or VPNs, are prone to decay, leaving them unable to protect vulnerable devices, data, and users – with more than one in four enterprise devices found to have at least one of these controls missing or out of compliance.

Increasing security spend does not guarantee security

In addition to heightening risk exposure, the failure of critical endpoint controls to deliver their maximum intended value is also resulting in security investments and, ultimately, wasted endpoint security spend.

According to Gartner, “Boards and senior executives are asking the wrong questions about cybersecurity, leading to poor investment decisions. It is well-known to most executives that cybersecurity is falling short. There is a consistent drumbeat directed at CIOs and CISOs to address the limitations, and this has driven a number of behaviors and investments that will also fall short.”

“What has become clear with the insights uncovered in this year’s report is that simply increasing security spend annually is not guaranteed to make us more secure,” said Christy Wyatt, President and CEO of Absolute.

“It is time for enterprises to increase the rigor around measuring the effectiveness of the investments they’ve made. By incorporating resilience as a key metric for endpoint health, and ensuring they have the ability to view and measure Endpoint Resilience, enterprise leaders can maximize their return on security investments.”

The challenges of maintaining resilience

Without the ability to self-heal, critical controls suffer from fragility and lack of resiliency. Also, endpoint resilience is dependent not just on the health of single endpoint applications, but also combinations of apps.

The massive amount of complexity uncovered means that even the most well-functioning endpoint agents are at risk of collision or failure once deployed across today’s enterprise endpoint environments.

IT and security teams need intelligence into whether individual endpoint controls, as well as various combinations of controls, are functioning effectively and maintaining resilience in their own unique endpoint environment.

Single vendor application pairings not guaranteed to work seamlessly together

In applying the criteria for application resilience to same-vendor pairings of leading endpoint protection and encryption apps, widely varied average health and compliance rates among these pairings were found.

The net-net here is that sourcing multiple endpoint agents from a single vendor does not guarantee that those apps will not ultimately collide or decay when deployed alongside one another.

enterprise endpoint environments

Progress in Windows 10 migration

Much progress was made in Windows 10 migration, but fragmentation and patching delays leave organizations potentially exposed. Our data showed that while more than 75 percent of endpoints had made the migration to Windows 10 (up from 54 percent last year), the average Windows 10 enterprise device was more than three months behind in applying the latest security patches – perhaps unsurprisingly, as the data also identified more than 400 Windows 10 build releases across enterprise devices.

This delay in patching is especially concerning in light of a recent study that shows 60 percent of data breaches are the result of a known vulnerability with a patch available, but not applied.

Relying on fragile controls and unpatched devices

Fragile controls and unpatched devices are being relied on to protect remote work environments. With the rise of remote work environments in the wake of the COVID-19 outbreak, as of May 2020, one in three enterprise devices is now being used heavily (more than 8 hours per day).

The data also shows a 176 percent increase in the number of enterprise devices with collaboration apps installed as of May 2020, versus pre-COVID-19. This means the average attack surface, and potential vulnerabilities, has expanded significantly across enterprises.

Most malware in Q1 2020 was delivered via encrypted HTTPS connections

67% of all malware in Q1 2020 was delivered via encrypted HTTPS connections and 72% of encrypted malware was classified as zero day, so would have evaded signature-based antivirus protection, according to WatchGuard.

encrypted malware

These findings show that without HTTPS inspection of encrypted traffic and advanced behavior-based threat detection and response, organizations are missing up to two-thirds of incoming threats. The report also highlights that the UK was a top target for cyber criminals in Q1, earning a spot in the top three countries for the five most widespread network attacks.

“Some organizations are reluctant to set up HTTPS inspection due to the extra work involved, but our threat data clearly shows that a majority of malware is delivered through encrypted connections and that letting traffic go uninspected is simply no longer an option,” said Corey Nachreiner, CTO at WatchGuard.

“As malware continues to become more advanced and evasive, the only reliable approach to defense is implementing a set of layered security services, including advanced threat detection methods and HTTPS inspection.”

Monero cryptominers surge in popularity

Five of the top ten domains distributing malware in Q1 either hosted or controlled Monero cryptominers. This sudden jump in cryptominer popularity could simply be due to its utility; adding a cryptomining module to malware is an easy way for online criminals to generate passive income.

Flawed-Ammyy and Cryxos malware variants join top lists

The Cryxos trojan was third on a top-five encrypted malware list and also third on its top-five most widespread malware detections list, primarily targeting Hong Kong. It is delivered as an email attachment disguised as an invoice and will ask the user to enter their email and password, which it then stores.

Flawed-Ammyy is a support scam where the attacker uses the Ammyy Admin support software to gain remote access to the victim’s computer.

Three-year-old Adobe vulnerability appears in top network attacks

An Adobe Acrobat Reader exploit that was patched in August 2017 appeared in a top network attacks list for the first time in Q1. This vulnerability resurfacing several years after being discovered and resolved illustrates the importance of regularly patching and updating systems.

Mapp Engage, AT&T and Bet365 targeted with spear phishing campaigns

Three new domains hosting phishing campaigns appeared on a top-ten list in Q1 2020. They impersonated digital marketing and analytics product Mapp Engage, online betting platform Bet365 (this campaign was in Chinese) and an AT&T login page (this campaign is no longer active at the time of the report’s publication).

COVID-19 impact

Q1 2020 was only the start of the massive changes to the cyber threat landscape brought on by the COVID-19 pandemic. Even in these first three months of 2020, we still saw a massive rise in remote workers and attacks targeting individuals.

Malware hits and network attacks decline. Overall, there were 6.9% fewer malware hits and 11.6% fewer network attacks in Q1, despite a 9% increase in the number of Fireboxes contributing data. This could be attributed to fewer potential targets operating within the traditional network perimeter with worldwide work-from-home policies in full force during the pandemic.

Evasive malware increasing, evading signature-based antivirus solutions

Evasive malware has grown to record high levels, with over two-thirds of malware detected by WatchGuard in Q4 2019 evading signature-based antivirus solutions.

evasive malware increasing

This is a dramatic increase from the year-long average of 35% for 2019 and points to the fact that obfuscated or evasive malware is becoming the rule, not the exception. Companies of all sizes need to deploy advanced anti-malware solutions that can detect and block these attacks.

In addition, widespread phishing campaigns exploiting a Microsoft Excel vulnerability from 2017 have been detected. This ‘dropper’ exploit was number seven on WatchGuard’s top ten malware list and heavily targeted the UK, Germany and New Zealand. It downloads several other types of malware onto victims’ systems, including a keylogger named Agent Tesla that was used in phishing attacks in February 2020 that preyed on early fears of the coronavirus outbreak.

Businesses of all sizes need to invest in multiple layers of security

“Our findings from Q4 2019 show that threat actors are always evolving their attack methods,” said Corey Nachreiner, CTO at WatchGuard.

“With over two-thirds of malware in the wild obfuscated to sneak past signature-based defenses, and innovations like Mac adware on the rise, businesses of all sizes need to invest in multiple layers of security. Advanced AI or behavioural-based anti-malware technology and robust phishing protection like DNS filtering will be especially crucial.”

Other key findings from the Q4 2019 report include:

  • Mac adware jumps in popularity in Q4 – One of the top compromised websites detected in Q4 2019 hosts a macOS adware called Bundlore that masquerades as an Adobe Flash update. This lines up with a MalwareBytes report from February 2020 that showed a rise in Mac malware, particularly adware.
  • SQL injection attacks became the top network attack in 2019 – SQL injection attacks rose an enormous 8000% in total between 2018 and 2019, becoming the most common network attack of the year by a significant margin.
  • Hackers increasingly using automated malware distribution – Many attacks hit 70 to 80 percent of all Fireboxes in a single country, suggesting attackers are automating their attacks more frequently.

Most AV vendors will continue to support their products under Windows 7

Earlier this month, Windows 7 – the most beloved Windows version up to date – has reached end-of-support.

AV Windows 7

Businesses of all sizes can still pay to receive extended security updates (ESUs) to keep their systems secure while they plan their upgrade, but home users don’t have that option.

They can still upgrade from Windows 7 to Windows 10 for free (if they have a valid serial number for Windows 7), but those who continue to use Windows 7 now that support has ended are simply more vulnerable to security risks.

AV on Windows 7

Foresight Cyber CEO Vladimir Jirasek has recently shared good advice on how businesses can minimize the risk of security breaches if they, for whatever reason, can’t upgrade from Windows 7 and can’t afford ESUs. Some of his suggestions can be also be implemented by consumers.

In addition to that, the good news is that some browser and many AV manufacturers will continue to offer Windows 7 support.

“Google has made it totally official in assuring its Chrome users that it will provide further security updates at least until July 2021. As the latest version of Microsoft Edge for Windows 7 relies on the same HTML engine as Chrome, it ought to have security updates, German antivirus testing laboratory AV-Test shared.

“There has been no official word on this yet from Firefox. Only in the support forums, the leading moderators point out that Mozilla continued to supply updates for Firefox under Windows XP for several years after support was phased out.”

Most AV manufacturers haven’t announced end of support for Windows 7, but will extend support for another two years at least (you can check which here). Avira will end support on November 2022, and Sophos will support its on-premise AV version until December 2020, its cloud-managed version until June 2021.

Even Microsoft will continue to release signature updates (including engine) to service systems currently running Microsoft Security Essentials untill 2023.

Finally, it’s good to note that users who don’t want to switch to Windows 10 or can’t because of their old computer can’t take it can still opt for a supported Windows version: Windows 8.1 is under extended support until January 10, 2023.