Over recent weeks, security concerns around Java and Flash vulnerabilities have risen to the surface once again. In December the National Defense Radio Establishment in Sweden was exposed for having significantly outdated versions of popular apps running, leaving the government organization wide open to cyber attack.
The security lapse highlights how even those organizations at the bleeding edge of IT can be easily exposed by hackers and cyber criminals through unpatched applications.
Problems with Flash and other popular applications like Java are nothing new. It's reported that over 83% of enterprise browsers have Java enabled, yet only 19% of enterprise Windows-based computers ran the latest version, leaving many wide open to hacking. Similarly, nearly 40% of users are not running the most up-to-date versions of Flash. In fact, nearly 25% of Flash installations are more than six months old, close to 20% are outdated by a year and nearly 11% are two years old.*
The regular number of updates required to maintain Java and Flash can themselves cause headaches for the IT team, resulting in businesses constantly playing catch up or having fragmented deployments. In addition, many organizations rely on the older versions of applications to keep the wheels of business in motion. As business applications use these tested versions of Java and Flash, IT departments are forced to sacrifice security in order to keep them running while deploying updates.
Very often, this approach results in organizations banking on antivirus and reactive technologies to stop any potential threats. Malware authors are well aware of this and therefore target specific vulnerabilities with exploit kits that encrypt payloads to bypass the antivirus. The scale of the challenge is clear to see and overcoming it can seem like a daunting prospect.
So what's the solution?
A proactive, layered approach to IT security, based on defense in depth (DiD) is a simple yet effective way to overcome application vulnerabilities and wider threats. Combining proactive strategies such as Application Control, that allows only approved versions of Java or Flash to run, Sandboxing, to isolate web borne exploits and Privilege Management to protect the operating system, all combine to significantly improve your security posture.
This approach is one championed by leading industry associations such as SANS and the Council on Cyber Security as the most effective 'quick wins' based on real-life attacks.
To learn more about how Avecto can help you improve your security posture with applications through its Defendpoint software visit www.avecto.com/defendpoint
* http://community.websense.com/blogs/securitylabs/archive/2013/09/05/new-java-and-flash-research-shows-a-dangerous-update-gap.aspx
