Promisec

Internal Risk Report 2009

Audit Report: Internal Security

Vulnerabilities of Endpoints

Executive Summary
The number of threats to corporate internal networks has grown
disproportionate to the technical resources and capacity of enterprises to
properly addresses these threats. This report shows a breakdown of the
threats faced in organizations, identifying the most common threats, and
describing the different types of threats. According to analysts such as
IDC and Gartner, 90% of security threats are accidental. It’s also been
estimated that 80% of security threats originate within the organization.

Over the course of 2009, Promisec performed scans at hundreds of

organizations worldwide, collecting data on the most common internal
threats to endpoints. Promisec’s 2009 study looks at scans of
approximately 100,000 endpoints inside 25 organizations of various sizes
and from a variety of industries.

The main findings of the report are as follows:

 100% of organizations have security and compliance threats in 10-
30% of the endpoints
 Increase in all types of threats from previous year

 23% of endpoints were missing third-party agents

 20% of endpoints had unauthorized peer-to-peer applications

 15% of endpoints did not have the latest Microsoft service packs or

hotfixes
 15% of endpoints had antivirus problems, meaning the antivirus was

disabled, missing, or not updated for the latest version

HOW TO ENSURE COMPLIANCE IN AN ORGANZIATION

Promisec Internal Risk Report 2009

 Dual connectivity, hacking software and unmanaged workstations

were found in 2-3% of endpoints. These are serious threats, despite
the low numbers
 Total USB device use went up dramatically, but unauthorized USB

or PDA use was at 13%

Discussions with CIOs and CISOs indicated that a primary concern is on

maintaining and managing corporate policy and regulatory compliance
on the endpoints. To comply with these policies and standards, such as
PCI and SOX, they are utilizing more third-party clients, so reliable and
clientless management of those third-party agents is essential.

One of the most interesting findings is the difficulty in maintaining

updated patches on all machines. Every corporation has a patch
management system in place, and yet many critical assets are missing
the latest patches. The research also detected missing critical hotfixes.
For example, hotfixes released to prevent the “Conficker” virus weren’t
deployed fully, for various reasons covered later in this report.

Methodology and Background

Promisec offers Clientless Endpoint Management (CEM) software

solutions. The company provides rapid inspections of corporate network
endpoints, without a client (agent) on the endpoints.

Promisec CEM technology identifies a wide range of endpoint activity

including:

Missing hotfixes
 Misconfigured Antivirus and third-party agents
 Power settings

 Existence of P2P, and other harmful applications

 Unauthorized Wireless connections and USB connections

 Sharing of files and directories

The information in this report was gleaned from inspections performed at

customer sites, and aggregated. No identifying information is included in
this report.

AUDIT REPORT: INTERNAL SECURITY VULNERABILITIES OF ENDPOINTS 2

Promisec Internal Risk Report 2009

Regarding the methodology, the percentage of threats in this report

reflects company policy. So, for example, if the report mentions the lack
of a third-party agent, it does not identify all endpoints in a network
missing that agent. Rather, it identifies only those endpoints that,
according to company policy, should have that agent installed.

Threat Categories and Findings

The following table summarizes the findings compared to 2008 and 2007.

As shown, all threats are on the rise, with major jumps in the number of
missing agents, sharing and hotfixes.

Out of 99,990 endpoints checked, Promisec inspections found 124,753

issues on the endpoints. Some endpoints had several violations. The
report does not indicate the number of endpoints compromised.
Typically organizations find 10-35% of the endpoints with some type of
security threat or non-compliance issue.

AUDIT REPORT: INTERNAL SECURITY VULNERABILITIES OF ENDPOINTS 3

Promisec Internal Risk Report 2009

Breakdown of frequency is shown below (out of 124,753 issues).

In general, the source of the threats is twofold:

 To manage compliance and security issues, IT managers are using

an increasing number of third-party agents. Maintaining software

updates for these and other applications is an increasing challenge.
 Users are becoming sophisticated, and many applications are able

to bypass traditional security. Hacking tools, P2P applications,

virtual machines, and other threats are easy to implement, and are
increasingly able to slip by unnoticed. While such behavior typically
is not malicious, it opens up multiple security threats to the network.

In other words, system administrators need comprehensives solutions to

detect a widening set of deviations from corporate policy.

Threats and Issues

Third-Party Agents
From 2008 to 2009, the results show a dramatic increase in missing third
party agents. As IT departments are getting more sophisticated, our
audits have been tracking a larger number of agents, such that this
year’s numbers provide a better representation of reality than previous
audits. Third-party agents are used for regulatory compliance, patch
updating, encryption, personal firewalls, etc. A workstation may have 5-6
different agents that should be running. The results of this year’s report
show how much of a challenge it is for IT to manage those agents.

AUDIT REPORT: INTERNAL SECURITY VULNERABILITIES OF ENDPOINTS 4

Promisec Internal Risk Report 2009

The network complexity and the lack of administrator visibility mean that
IT departments are missing some of the dangerous activities of some of
the users. Savvy and technically-minded workers turn learn to uninstall
or disable endpoint security management agents they perceive as
disrupting their workflow. With or without malicious intent, end-users can
tamper with agents on their computers. This poses a threat to the
compliance and security posture of a corporate network.

Missing Hotfixes and Service Packs

This year’s scan included hotfixes as well as service packs for Microsoft
products. Therefore, the numbers do not directly correlate to last year’s
numbers, which included only service packs. This year’s numbers more
accurately reflect the magnitude of this problem than previous
inspections.

Microsoft products are a major cost for IT departments, both in terms of

licensing and in terms of the personnel needed to install patches and
ensure everyone is on the same patch level. Promisec complements the
patch management system by detecting the machines haven’t received
the required patches, whatever the cause.

The frequency of Microsoft patches and hotfixes makes this a major

issue on corporate networks. Many IT administrators struggle just to get
an accurate picture of where the updates are missing.

Missing or Outdated Anti-virus

Some anti-virus solutions on the corporate network may not be fully
deployed or even missing despite a positive report from the anti-virus
management console. An anti-virus client might be installed and enabled
but not updated because the automatic update has been disabled or is
not working properly. It is also possible that updates are not being
received because the setting identifying the path of the proper anti-virus
server is incorrect. Another common problem is that companies
inadvertently issue a static ID for the client. If one of the endpoints with
this static ID reports that the anti-virus is OK, all other endpoints with
that same ID are also identified as OK.

In many cases, we discovered that anti-virus programs were not

configured to work properly. Among other reasons, this can happened
because not all necessary services are available or because the anti-
virus is on “pause” or “stop” mode.

AUDIT REPORT: INTERNAL SECURITY VULNERABILITIES OF ENDPOINTS 5

Promisec Internal Risk Report 2009

Dual Connectivity or Split Tunneling

Dual Connectivity, also known as “split tunneling,” occurs for example
when a wireless access card on a laptop or a 3G modem is used to
connect to an unauthorized (public) wireless network while the laptop is
simultaneously connected to the corporate network. While only 2-3% of
computers are connected this way, dual connectivity opens up the
corporate network to the outside and is very dangerous.

Violations of this policy typically happen when a worker wants to access

web sites filtered by the company's security policy. While still connected
to the network, the employee connects to a public "OPEN" wireless
access point. The employee can surf the Web freely while connected to
the corporate network as an authorized user, creating a "back door." into
the network. Meanwhile, the employee is completely unaware he/she
has opened a "back door."

Peer to Peer Applications

Peer-to-peer applications are generally on the rise. Many companies
have policies in place regarding permissible P2P applications, but the
proliferation of clients is such that it’s difficult to follow all the applications
available without a management console.

Instant messaging use rises year to year, and companies are becoming
tolerant of the use of such programs. Typically, organizations have
authorized and unauthorized IM applications. Windows Live Messenger
is usually not considered a threat, for example. On the other hand,
applications like Skype and Digsby, which can use computer and system
resources would typically be outside the permissible use policy of many
companies.

Unmanaged Machines
All desktops, laptops and servers inside a corporate network need to be
a part of a “domain” or “workgroup” where they can be managed. In
other words, the administrator has access and can ensure that the
endpoint complies with company policy. Unmanaged computers can be
tricky to even identify on the network, without a tool such as Promisec
provides. In most networks, inspections found 2-3% of computers in the
network were unmanaged.

AUDIT REPORT: INTERNAL SECURITY VULNERABILITIES OF ENDPOINTS 6

Promisec Internal Risk Report 2009

Another interesting finding was the identification of employees who are

using virtual machine applications. Virtual machine software allows
users to run a second operating system (Windows) on top of the existing
system. Using a virtual machine means that the IT department does not
have visibility of the user’s activity on the virtual machine, and sees only
the original system. Virtual machine applications have become easy to
install within corporate networks. To use such a program, the user has to
be aware he/she installed it, and to have a reason to want his or her
activity to be private from the system administrator.

Security/Hacking Tools and Utilities

In large companies, there is a danger that some of the employees
download and use hacking tools, either intentionally knowing what they
are, or simply out of curiosity. Examples of applications that can be used
by hackers include Nmap, Nessus, John the Ripper, SuperScan, p0f,
Winzapper. Hacking tools are widely and easily available for download
and pose enormous threats to computer network security.

Obviously, very few company employees are involved in this kind of

malicious behavior. Therefore, it appears on very few computers
scanned by Promisec. Furthermore, there is no significant change from
year to year. However; the threat imposed by such programs is so
serious that even one download is a serious threat.

File Sharing
Today, file sharing has become common practice at the office.
Employees are using corporate issued computers to access shared
documents, audio and video files. Through carelessness, ignorance or
lack of oversight, this practice exposes network infrastructures to
tremendous risk. However, with the appropriate controls and monitoring
in place, organizations can protect themselves from costly personal or
corporate data theft.

USB memory storage devices

The threat of USB flash drives and other similar devices is clearly
growing. The Promisec audit reports show a much larger number of
devices per endpoint than before. Over the course of a few months, a
typical endpoint may have 3-5 USB or other devices connected to it.
These devices include thumb drives, digital cameras, and mobile
devices.

AUDIT REPORT: INTERNAL SECURITY VULNERABILITIES OF ENDPOINTS 7

Promisec Internal Risk Report 2009

Conclusion
Promisec’s annual study seeks to reveal serious yet resolvable problems
that persist at the endpoint level of enterprises and other organizations.
The company’s research has provided CIO’s with an unprecedented
glimpse inside their networks.

No other security solution ensures comprehensive coverage of every

endpoint in the network, regardless of user behavior. Promisec technol-
ogy identifies and remediates any security or compliance violations at
the endpoint level with unprecedented accuracy and real time intelli-
gence gathering and analysis.

With new levels of visibility and control over the endpoints, organizations
have adopted Promisec CEM technology, dramatically improving their
endpoint management capabilities and eliminating costly risks to the
health of their businesses.

®
 About Promisec
Promisec, Inc. provides clientless endpoint management (CEM) software solutions that give corporate IT administrators
unprecedented visibility, speed and control over internal network endpoints, in-depth real-time intelligence to identify
threats, and the tools to neutralize them. The company's products, Promisec Spectator® and Promisec INNERspaceTM,
are used by a wide range of SMBs and Global 2000 organizations. With 24/7 or on-demand clientless monitoring, compli-
ance and remediation, Promisec protects against business disruption caused by internal network threats while optimizing IT
operations and enabling organizations to confidently place trust in their most important assets - their people. Founded in
2004, Promisec's headquarters are located in Israel with offices in New York and Paris.

For
  More Information
USA 2009 Red Herring 100 Award Win-
ner honoring Promisec as “one of
Promisec USA
the top 100 most promising tech
Promisec companies.”
55 Broad Street, Suite 20C
New York, NY 10004
Tel: +1 (212) 743-9916
Fax: +1 (212) 889-3213

Email: sales@promisec.com
Internet: www.promisec.com
Copyright® Promisec 2009. All Rights Reserved.
All technical specifications are subject to change.

AUDIT REPORT: INTERNAL SECURITY VULNERABILITIES OF ENDPOINTS