September 28, 2010

Why cybercriminals do not need to target Microsoft

Next week Secunia will be at the e-Crime Mid Year Meeting 2010 in London. I am presenting on October 5th at 10:20h and 12:45h covering the topic "Why cybercriminals do not need to target Microsoft” - providing a closer look at the fundamental failings of end-point security that turn most of us into easy prey for cybercriminals.

Following is an abstract of my talk:

This seminar explores the fundamental failings of end-point security that continue to turn most Internet users (corporate and private) into easy targets for cybercriminals. We start with a look at the evolution of the security threat posed by vulnerabilities in the programs of typical end-user PC's over the last five years, and provide an outlook for the rest of 2010 based on the data of the first six months of 2010.
What we uncovered through our free Personal Software Inspector (PSI) service (with +2.6 million users) is that desktop security (and integrity) is much more complex than many people commonly realise, and that the narrow focus on OS vulnerabilities (and even Microsoft product vulnerabilities) is to severely underestimating the problem facing current/future victims of cyber crime.
Our analysis identified an alarming trend - vulnerabilities affecting the portfolio of the Top-50 programs typically present on end-user PC's almost doubled from 2005 to 2009; and an almost four-fold increase is expected to the end of 2010 - which confirms that cybercriminals are very adaptive in finding the easiest path to compromise a host. We identify the primary source of the increased trend, and quantify the complexity of keeping an average PC secure.

I hope this talk contributes to raising awareness on the origin of the threats, and spurs further discussions. Come and join, I am looking forward to meeting with you and to vivid discussions about today’s challenges in securing the end-points.

August 25, 2010

An alarming trend for end-user security

Secunia has just released the first Secunia Half Year Security Report 2010, where I elaborate on the evolution of the security threat posed by vulnerabilities, and provide projections for the 2010 vulnerability levels. With this report we continue to publish results from my research into the threats typical end-users face when surfing the Internet.

Earlier this year, in the RSA 2010 paper The Security Exposure of Software Portfolios, we discovered that overall 50% of the users are found have more than 66 programs from more than 22 different vendors installed. To elaborate on this research I built a representative portfolio of the Top-50 most prevalent programs found on the average end-user PC, and examined the evolution and origin of the vulnerabilities affecting this portfolio since 2005.

We found an alarming trend:
In the two years from 2007 to 2009 the number of vulnerabilities affecting a typical end-user PC almost doubled to 420, and based on the data of the first six months of 2010 the number is expected to almost double again in 2010. In other words, during the first 6 months of 2010 Secunia published 380 vulnerabilities affecting the typical end-user PC, or 89% of the figures for the entire 2009.
A breakdown of these vulnerabilities into contributions from (A) the Operating System, (B) Microsoft programs, and (C) from 3rd party (non-Microsoft) programs reveals that this trend is almost exclusively due to vulnerabilities in 3rd party programs:

In 2009 a typical end-user PC with 50 programs had 3.5 times more vulnerabilities in the 24 3rd party programs installed than in the 26 Microsoft programs installed.

Considering the overall results of our research and findings, we expect an increase of this ratio to 4.4 for the year 2010.

It is safe to assume that a large part of the users, focusing primarily on updating their Microsoft OS and programs, succumb on the enormous task and complexity of frequently patching all their 3rd party programs. However, by neglecting the risk of ubiquitous 3rd party programs, users risk being compromised by cyber-criminals every day, despite the deployment of other security measures.

I hope this report contributes to raising awareness on the origin of the threats, and spurs further discussion on how to deal with the issue of 3rd party program risks.