Underinvestment exposes end-point security

End-points are becoming a primary focus of attack

A lack of investment in end-user application security has left users open to attack, according to a group of security experts.

"End-points are a data repository and they need to be protected. It is an area of underinvestment today," said Richard Reiner, chief security and technology officer at Assurent Secure Intelligence.

Speaking at last week's NetEvents symposium in Barcelona, Reiner warned that this is more important today, as end-points are becoming a primary focus of attack.

"Just under 50 per cent of the security holes that are exploited are on the end-point," he said.

"And they are in software products that you would not think could be attacked, like web browsers and word processors."

Joshua Corman, principal security strategist at IBM, suggested that the danger had increased because attacks are no longer purely ego driven and are motivated by "profit, politics and prestige".

Corman pointed to the Storm worm as an example of today's profit-motivated attacks.

"Storm is enjoying tremendous financial success because it uses malicious code activity on end-points as a source of revenue generation to send spam," he said. "They are making millions and millions of dollars every day."

Reiner added that the problem today is not so much network services, as these had lower rates of vulnerability.

"A lot of the low-hanging fruit has been picked off by the black hats out there," he said.

"There are a much larger number of desktop products than server products. They do not tend to have been reviewed well from a security perspective, and they tend to have a much higher relative rate of vulnerability."

Reiner called for a change in security investment spending. "The end-point is not nearly so well protected today as it ought to be, given the actual distribution of risk," he said.

However, Corman maintained that the weak point is still the end user. "The success of Storm, for example, is a renaissance of social engineering and the one thing you cannot patch in is people," he said.

"There is no vulnerability whatsoever, but they are getting someone to download something and run it and taking advantage of the machine."