Patch deployment failures, misconfigured firewalls and missing OS updates are resulting in security lapses at many firms that could be exploited by an attacker to gain access to critical systems.
That was the finding of a study conducted by UK-based malware protection vendor, Sophos, which examined the results of users of its endpoint assessment test. The tool, which could be downloaded for free at the Sophos website, was used by 583 firms based in the U.S. and abroad.
Sophos said 63% of the firms were missing patches. About half had firewalls that weren't even enabled, the vendor said. In all, 81% of the companies failed the assessment.
The security vendor is using the tool to try and get businesses to see the benefits of its network access control (NAC) appliances. It acquired Endforce for its NAC technologies last year. The appliance monitors the network, scans and quarantines machines and devices at the endpoint. The scan can determine if the machine's patches are up to date and whether it's carrying any malware.
Companies that deploy assessment and remediation features of NAC software could reduce the time it takes to deploy security patches, said Bill Emerick, vice president of product management for NAC. One firm found it could reduce the time systems are patched from 30 days on less than half of the company machines to seven days or less 99% of computers, he said.
"If you submit 200 endpoints for assessment and find that only 30% are compliant, you know you've got a problem," he said.
Early adopters have had some success with smaller, initial deployments, according to industry experts. But the pace of NAC deployments has not kept up with the initial hype of the technology.
In a recent report on the state of the NAC market, Robert Whiteley, principal analyst and research director at Forrester Research Inc., said the time is right for more widespread deployments. Hybrid deployments could address the growing use of mobile devices and protect the network from intrusion as a result of customers, suppliers, and partners who try and connect with their machines, he said. A recent Forrester survey also showed a rising interest in deploying the technology. Thirty-seven percent of respondents had already adopted NAC and an additional 18% said they plan to do so in the coming year.
Sophos' Emerick said that through the endpoint assessment tool, firms are quickly learning that they're accepting too much risk by having unpatched machines connected to the network. The tool results showed that 58% of machines on the endpoint were missing OS patches, 39% missing patches for Microsoft Office applications, and 21% were missing patches for Internet Explorer. Media player and flash player updates were also missing on many machines, Emerick said.
"Often we see customers having much more comprehensive assessments when they deploy NAC internally," he said.