The extent to which enterprise networks are sprawling, half-visible, and full of PC and servers running obsolete versions of operating systems and vulnerable IoT devices has been laid bare by new research.
Twenty-six percent of Linux systems and 8% of Windows systems are running on end-of-life (EOL) versions of operating systems, according to research from Palo Alto Networks.
Palo Alto’s Device Security Threat Report, based on telemetry data from 27 million devices on the networks of 1,800 enterprises, also found that 39% of IT devices registered in network directories lack active endpoint security protections. A third (32.5%) of all devices in corporate networks operate outside IT control.
The absence of security controls enables attackers to hack into unprotected devices without risking detection. Almost four of five (77%) corporate networks were poorly segmented, setups where low-security devices such as smart coffee makers or printers and high-value targets like financial servers sit on the same network segment.
“What stood out in our findings is how often everyday devices — like office cameras, smart sensors, or personal laptops — are directly linked to sensitive systems, and how often even IT managed devices have security gaps,” Qiang Huang, VP of product management for cloud delivered security services at Palo Alto Networks, tells CSO. “Nearly half of those connections come from high-risk devices that were never built with security in mind.”
Visibility gaps
Visibility and segmentation remain the weakest points of many enterprise networks. Around a third of enterprise devices are still unmanaged, and most networks are effectively flat, enabling attackers to move freely once they get in.
Worse yet network edge devices are increasingly afflicted with zero-day vulnerabilities experts blame on basic security bugs.
“Misconfigurations in firewalls, routers, and switches have repeatedly led to major breaches, as these devices often have privileged access and broad network visibility,” says Bharat Mistry, field CTO at Trend Micro. “Their presence at the top of the vulnerability list highlights the need for rigorous patching and configuration management.”
Routers, video conferencing systems, and IoT gear sit on the edge of networks, often unmanaged, poorly patched and running with default credentials.
“If you reduce internet exposure, kill default credentials, and prioritize fixes for devices that are both exposed and exploitable, you take away a huge amount of low-effort attacker opportunity,” says Rik Ferguson, VP of security intelligence at Forescout.
Ferguson adds: “You can’t rely on agent coverage, so you need continuous, agentless visibility, software/firmware inventory, including EOL and risk-based controls at segmentation and patching levels.”
Risky business
Forescout’s Ferguson tells CSO that Palo Alto’s numbers align with Forescout’s telemetry across global enterprise networks.
“Their [Palo Alto’s] finding that 26% of Linux systems and 8% of Windows systems are end-of-life is directionally consistent with what we observe in the field, especially for embedded Linux in routers and appliances, where kernel versions lag for years,” Ferguson says. “The result is a large attack surface of internet-reachable devices with unpatched flaws and weak defaults.”
According to Forescout’s latest annual Riskiest Devices report, routers and other network gear account for more than half of devices with the most dangerous vulnerabilities, with other categories such as video/voice systems also prominent.
Forescout’s study — which is based on telemetry from enterprise devices using Forescout’s Device Cloud and a multi-factor risk scoring methodology — also highlights that the risk posed by operational technology (OT) is growing fast.
The riskiest device types by domain, according to ForeScout, include application delivery controllers and firewalls, on the IT side; NVRs, NAS, VoIP, and IP cameras in IoT; and universal gateways and building management systems in OT.
Remediation challenges
Matt Middleton-Leal, managing director for EMEA at Qualys, says that visibility, vulnerability remediation, and network segmentation need to be treated as more important internally if CISOs want to get support for security remediation projects.
“There are two issues here: how to get complete visibility of all your IT assets, and why end-of-life software or hardware still exists within the business,” Middleton-Leal says. “For CISOs, dealing with these issues involves working with the business around risk.”
The challenge for security leaders is that insecure equipment replacement projects are viewed as lower priorities and lack the business case as, for example, AI-related projects that are viewed as the “cutting edge” of innovation.
“Replacing end-of-life assets can require time and change management resources that cost money, but they don’t deliver enough of a return to the business,” Middleton-Leal says.
Adam Seamons, head of information security at GRC International Group, agreed that replacing legacy systems is rarely an enterprise IT project priority.
“The persistence of end-of-life Windows and Linux systems isn’t laziness; it’s reality,” Seamons says. “Replacing legacy systems is expensive, risky, and rarely top of the priority list until something breaks.”
Seamons adds: “The problem is that every unpatched device is basically a welcome mat for attackers.”
Remediation work may extend beyond straight hardware replacement or migration because upgrades may involve additional work around refactoring software to work with newer, more secure components.
“That is often why those older software assets don’t get updated, because the rework and change control is a substantial investment for relatively little return,” Qualys’ Middleton-Leal notes.
“CISOs and security leaders have to guide their teams through these costs, and where end-of-life software can’t be replaced, design the compensating controls and risk mitigation approach that keeps software or assets secure,” Middleton-Leal says.