Behind Breaches: Lots of Outdated Software



A study by the firm BitSight finds a correlation between out of date software, data breaches, and other cyber incidents.

In the popular imagination, data breaches and other cyber incidents are the work of master hackers and cybercriminals. “It’s not whether you’ll be breached, but when” is common wisdom these days.

But a survey from the firm BitSight of more than 35,000 companies found that almost a quarter of them (8,500) were running out of date Internet browsers. Those firms, BitSight said, were more than twice as likely to experience a publicly disclosed breach as companies with less than half their computers using out of date browsers.

The situation is even worse for organizations that were running outdated operating systems on more than half of their computers. Researchers at BitSight found that those organizations were nearly three times as likely to experience a breach than organizations with less than 50 percent, the company reported. More than 2,000 organizations were found to be running outdated operating systems in BitSight’s survey.

The link between outdated software and adverse incidents aren’t just hypothetical. The recent WannaCry ransomware outbreak that affected hundreds of thousands of systems globally was found to disproportionately affect machines running older versions of Microsoft Windows. Almost 70% of WannaCry-infected systems were running the Windows 7 operating system, which was released almost eight years ago.

At least that operating system is still supported. BitSight data from March 2017, prior to the WannaCry outbreak, found that almost 20 percent of the 35,000 systems examined in the report were using Windows XP or Windows Vista, unsupported Microsoft operating systems for which patches and security fixes are no longer issued. In the case of WannaCry, Microsoft broke form and issued an emergency patch for Windows XP and other unsupported but affected software. It’s no bet that the company will do so in the future.

The moral here? Obviously, companies need to consider issues like patching not just a matter of hygiene, as unpatched and out of date software feeds directly into the hands of would-be attackers and greatly increases the likelihood that those organizations will be the victim of a data breach.

This isn’t an abstract issue. The Government Accountability Office (GAO) found that 70% of the federal government’s investments are in operating and maintaining legacy equipment, rather than investing in new technology. Further, a survey of 105 senior federal workers by the firm BeyondTrust found that 47 % of Federal agencies represented in the survey still use Windows XP. An overwhelming majority of Federal IT managers (81%) said that aging IT infrastructures have a “somewhat to extremely large” impact on their cybersecurity risk.

Data breaches don’t come out of the blue. While sophisticated and targeted campaigns are, of course, a reality, many cyber adversaries act like other predators: spotting and taking advantage of weak or vulnerable prey. Outdated browsers and operating systems are just that: blood in the water for cyber criminals and nation-state hackers. Spotting malicious activity within your network is important. Protecting sensitive data and IT assets is critical. But companies can greatly increase their resilience to adverse cybersecurity incidents simply by keeping their software up to date.

Paul Roberts

ANALYST REPORTS

Gartner 2017 Magic Quadrant for Enterprise Data Loss Prevention (DLP)

Paul Roberts

Paul Roberts is the editor in chief of The Security Ledger and founder of the Security of Things Forum. A seasoned reporter, Paul has more than a decade of experience covering the IT security space. His writing has appeared in publications including The Christian Science Monitor, MIT Technology Review and The Economist Intelligence Unit. He's appeared on news outlets including Al Jazeera America, NPR's Marketplace Tech Report and The Oprah Show.