Endpoint

5/23/2018
10:20 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Windows 10 Adoption Grew 75%, Adobe Flash Plummeted 188% in 2017: Report

Authentication data reveals an increase in Apple devices, poor mobile security, and the rapid disappearance of Flash from browsers.

A snapshot of the enterprise remote access space in 2017 reveals a few interesting trends: more businesses have adopted Windows 10 and Apple products, nearly all Android devices are out-of-date, and chances are good their browsers are no longer running Flash.

To learn more about users' authentication behavior and device health, the security research team at Duo Labs dug into data from 10.7 million devices and nearly 0.5 billion monthly authentications. Researchers wanted to see where people authenticate from, how they respond to phishing, and the devices, operating systems, browsers, and plugins they use. 

There are obvious security implications in these trends. The researchers found a majority shift in Windows 10 adoption, which jumped from 27% in 2017 to 48% in 2018. Devices running Windows 7 also decreased from 65% in 2017 to 44% this year. Duo researchers attribute the spike to WannaCry, which prompted Windows 10 downloads.

"It was one of the bigger drivers in Windows 10 adoption," says Duo data scientist Olabode Anise. "After the first 30- to 60 days after WannaCry there was an uptick, then it started to level out and decrease" after the companies that wanted to upgrade completed the process.

Industries slowest to adopt Windows 10 were healthcare (29%), transportation and storage (31%), and insurance (33%). Those fastest to adopt the latest Windows OS were computers and electronics (82%), wholesale and distribution (70%), and nonprofit (56%).

Anise says these trends fluctuated depdnding on the applications running on particular endpoints. Since apps are affected by OS changes, people in industries more at the forefront of new technologies would utilize and adopt Windows 10 more quickly.

Researchers point out that it's not always possible to update operating systems in large enterprises with complex IT environments without rendering certain devices inoperable. Connected medical devices and healthcare software, for example, may not be designed to run Windows 10. In healthcare, Anise notes, "mission-critical applications are hardest to port over."

While Windows 10 adoption may be up, Windows usage declined overall. Researchers noticed Windows users dropped from 68% to 65% between 2017 and 2018. At the same time, they saw an uptick in macOS, which grew 27% to 30%, and iOS, which jumped from 10% to 12%.

Mobile Security Could Use a Major Update

Most endpoints are not running the latest version of their operating system, says Kyle Lady, senior information security engineer at Duo. However, iOS and macOS devices are generally more up-to-date than those running Android or Chrome OS. By the end of March 2018, only 8% of Android phones had been patched with the latest security fix released 26 days prior.

Ninety percent of Android devices are out-of-date, researchers found. The same can be said for 85% of ChromeOS devices, 74% of macOS devices, and 56% of iOS devices.

Users lagging on Android security updates "is not new, and it's not necessarily getting worse," says Lady, noting that this has been a problem for years. Android updates have to come from the manufacturer, which pushes them to the carrier, which sends them to users.

"If there's a slowdown anywhere along the way, it results in the user being at risk," he explains. While Google has done a lot of work to structure Android so it can receive mission-critical updates faster, it often doesn't help users running versions ineligible for security updates. Android is great for an open-source mobile OS, Lady says, but it's tough to update.

"I think we've seen a lot of businesses take notice of the Android security problems, and the difficulties in updating Android devices," Anise adds. "iOS has a much more clear-cut picture as to whether a given phone can update or not."

Android has dozens of manufacturers and hundreds of versions, and it can spiral out of control if you're trying to come up with restrictions that let users access data while keeping company assets secure, he adds. It's easier to create these policies for iOS and, in some cases, macOS.

Browser Security and the Fall of Flash

Firefox Mobile is the most out-of-date browser based on Duo's research, which found 93% of endpoints using it hadn't updated to the most recent version. Chrome came in next at 53%, followed by Firefox desktop (49%), Safari (42%), Edge (33%), Chrome Mobile (31%), and Internet Explorer, which was the most up-to-date with only 5% of users behind.

To put these numbers in context, there hasn't been a new version of Internet Explorer released since 2013. Chrome was last updated on March 6, 2018. While it appears Chrome browsers are more out-of-date, the browser is more frequently updated by its vendor than others.

Researchers also noticed Adobe Flash Player is rapidly disappearing from browsers. Less than one-quarter (24%) of browsers had Flash uninstalled in 2017; by 2018, that number had jumped to 69%. "Uninstalled" includes browsers with Click to Play or other forms of Flash blocker implemented, meaning browsers won't run arbitrarily run Flash unless users opt in.

"A lot of the driving factors rely around users switching to models that have Flash disabled by default," says Anise. "Extensions for Web browsers let you do this, or you can configure Google Chrome to not run Flash by default." Chrome, he says, has forced its content creators to adopt new technologies and has been a major driver in the move away from Flash, which will no longer be shipped with Chrome starting in 2020. Adobe will end-of-life Flash later that year.

Authenticating More Remote Workers

Both Anise and Lady speak to the importance of updates and two-factor authentication as people increasingly work remotely and log on from different networks. While mobility brings additional security risks, Lady says companies see the benefits of letting workers go remote.

From 2017 to 2018, Duo's data showed a 10% increase in the average number of unique networks that customers and businesses are authenticating from. More than one-quarter (26%) log in from two or more networks in 2018; eight percent log in from at least three.

If workers are going to work remotely, it's essential to keep their devices updated and provide a second factor to verify their identity. An analysis of phishing simulation attacks found 62% captured one set of user credentials, and 64% involved one out-of-date device.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
rhogeo
100%
0%
rhogeo,
User Rank: Apprentice
5/24/2018 | 10:12:27 AM
Math?
How does something "plumment" 188% ?  Maybe it's been too long since I've taken a math class, but I would think the maximum something could plumment would be 100%?
6 Ways Greed Has a Negative Effect on Cybersecurity
Joshua Goldfarb, Co-founder & Chief Product Officer, IDRRA ,  6/11/2018
Weaponizing IPv6 to Bypass IPv4 Security
John Anderson, Principal Security Consultant, Trustwave Spiderlabs,  6/12/2018
'Shift Left' & the Connected Car
Rohit Sethi, COO of Security Compass,  6/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12026
PUBLISHED: 2018-06-17
During the spawning of a malicious Passenger-managed application, SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows such applications to replace key files or directories in the spawning communication directory with symlinks. This then could result in arbitrary reads and writes, which in tur...
CVE-2018-12027
PUBLISHED: 2018-06-17
An Insecure Permissions vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 causes information disclosure in the following situation: given a Passenger-spawned application process that reports that it listens on a certain Unix domain socket, if any of the parent directories of said ...
CVE-2018-12028
PUBLISHED: 2018-06-17
An Incorrect Access Control vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows a Passenger-managed malicious application, upon spawning a child process, to report an arbitrary different PID back to Passenger's process manager. If the malicious application then generates an e...
CVE-2018-12029
PUBLISHED: 2018-06-17
A race condition in the nginx module in Phusion Passenger 3.x through 5.x before 5.3.2 allows local escalation of privileges when a non-standard passenger_instance_registry_dir with insufficiently strict permissions is configured. Replacing a file with a symlink after the file was created, but befor...
CVE-2018-12071
PUBLISHED: 2018-06-17
A Session Fixation issue exists in CodeIgniter before 3.1.9 because session.use_strict_mode in the Session Library was mishandled.