A snapshot of the enterprise remote access space in 2017 reveals a few interesting trends: more businesses have adopted Windows 10 and Apple products, nearly all Android devices are out-of-date, and chances are good their browsers are no longer running Flash.
To learn more about users' authentication behavior and device health, the security research team at Duo Labs dug into data from 10.7 million devices and nearly 0.5 billion monthly authentications. Researchers wanted to see where people authenticate from, how they respond to phishing, and the devices, operating systems, browsers, and plugins they use.
There are obvious security implications in these trends. The researchers found a majority shift in Windows 10 adoption, which jumped from 27% in 2017 to 48% in 2018. Devices running Windows 7 also decreased from 65% in 2017 to 44% this year. Duo researchers attribute the spike to WannaCry, which prompted Windows 10 downloads.
"It was one of the bigger drivers in Windows 10 adoption," says Duo data scientist Olabode Anise. "After the first 30- to 60 days after WannaCry there was an uptick, then it started to level out and decrease" after the companies that wanted to upgrade completed the process.
Industries slowest to adopt Windows 10 were healthcare (29%), transportation and storage (31%), and insurance (33%). Those fastest to adopt the latest Windows OS were computers and electronics (82%), wholesale and distribution (70%), and nonprofit (56%).
Anise says these trends fluctuated depdnding on the applications running on particular endpoints. Since apps are affected by OS changes, people in industries more at the forefront of new technologies would utilize and adopt Windows 10 more quickly.
Researchers point out that it's not always possible to update operating systems in large enterprises with complex IT environments without rendering certain devices inoperable. Connected medical devices and healthcare software, for example, may not be designed to run Windows 10. In healthcare, Anise notes, "mission-critical applications are hardest to port over."
While Windows 10 adoption may be up, Windows usage declined overall. Researchers noticed Windows users dropped from 68% to 65% between 2017 and 2018. At the same time, they saw an uptick in macOS, which grew 27% to 30%, and iOS, which jumped from 10% to 12%.
Mobile Security Could Use a Major Update
Most endpoints are not running the latest version of their operating system, says Kyle Lady, senior information security engineer at Duo. However, iOS and macOS devices are generally more up-to-date than those running Android or Chrome OS. By the end of March 2018, only 8% of Android phones had been patched with the latest security fix released 26 days prior.
Ninety percent of Android devices are out-of-date, researchers found. The same can be said for 85% of ChromeOS devices, 74% of macOS devices, and 56% of iOS devices.
Users lagging on Android security updates "is not new, and it's not necessarily getting worse," says Lady, noting that this has been a problem for years. Android updates have to come from the manufacturer, which pushes them to the carrier, which sends them to users.
"If there's a slowdown anywhere along the way, it results in the user being at risk," he explains. While Google has done a lot of work to structure Android so it can receive mission-critical updates faster, it often doesn't help users running versions ineligible for security updates. Android is great for an open-source mobile OS, Lady says, but it's tough to update.
"I think we've seen a lot of businesses take notice of the Android security problems, and the difficulties in updating Android devices," Anise adds. "iOS has a much more clear-cut picture as to whether a given phone can update or not."
Android has dozens of manufacturers and hundreds of versions, and it can spiral out of control if you're trying to come up with restrictions that let users access data while keeping company assets secure, he adds. It's easier to create these policies for iOS and, in some cases, macOS.
Browser Security and the Fall of Flash
Firefox Mobile is the most out-of-date browser based on Duo's research, which found 93% of endpoints using it hadn't updated to the most recent version. Chrome came in next at 53%, followed by Firefox desktop (49%), Safari (42%), Edge (33%), Chrome Mobile (31%), and Internet Explorer, which was the most up-to-date with only 5% of users behind.
To put these numbers in context, there hasn't been a new version of Internet Explorer released since 2013. Chrome was last updated on March 6, 2018. While it appears Chrome browsers are more out-of-date, the browser is more frequently updated by its vendor than others.
Researchers also noticed Adobe Flash Player is rapidly disappearing from browsers. Less than one-quarter (24%) of browsers had Flash uninstalled in 2017; by 2018, that number had jumped to 69%. "Uninstalled" includes browsers with Click to Play or other forms of Flash blocker implemented, meaning browsers won't run arbitrarily run Flash unless users opt in.
"A lot of the driving factors rely around users switching to models that have Flash disabled by default," says Anise. "Extensions for Web browsers let you do this, or you can configure Google Chrome to not run Flash by default." Chrome, he says, has forced its content creators to adopt new technologies and has been a major driver in the move away from Flash, which will no longer be shipped with Chrome starting in 2020. Adobe will end-of-life Flash later that year.
Authenticating More Remote Workers
Both Anise and Lady speak to the importance of updates and two-factor authentication as people increasingly work remotely and log on from different networks. While mobility brings additional security risks, Lady says companies see the benefits of letting workers go remote.
From 2017 to 2018, Duo's data showed a 10% increase in the average number of unique networks that customers and businesses are authenticating from. More than one-quarter (26%) log in from two or more networks in 2018; eight percent log in from at least three.
If workers are going to work remotely, it's essential to keep their devices updated and provide a second factor to verify their identity. An analysis of phishing simulation attacks found 62% captured one set of user credentials, and 64% involved one out-of-date device.