I recently read over Flexera's Vulnerability Review 2018: Top Desktop Apps report, and frankly, I'm not surprised by the findings. According to the research, 83% of vulnerabilities were rated extremely or highly critical. Also, a staggering 93% of those vulnerabilities could be exploited over the Internet.
Where does most of the Internet activity come from in an organization? Desktops. End users need Internet access to do their job. An organization these days couldn't function without an Internet connection. So many businesses rely on cloud and SaaS apps, and these aren't possible without venturing out onto the world wide web. And, unfortunately, the www in your URL can be a scary place.
One click on a phishing email or an eye-catching link on an unscrupulous website that somehow got through the web filter is all it takes to trigger an exploit. The bad guys know this and realize that Susie from Accounting is likely to be running a desktop app and specifically target these applications. One lazy Friday when Susie decides to catch up on Facebook on her corporate computer is all it takes for a well-designed exploit to take hold in an organization.
How do we prevent this? We can't lock all of the desktops down wholly. We also need to be realistic about the desktop to IT ratio. Operations folks have alot more to do than just monitor Susie's desktop all day. They know that desktop applications are vulnerable to exploits, but they just don't have time to juggle another ball. Whether it's Microsoft patches or any of the other dozens of applications Susie uses, they need an automated solution that can discover and patch these desktops without the fuss.
First off, an organization must have an up-to-date inventory of desktop applications. If you're not using some kind of software management application or merely using scripts to query your network, you need to immediately. Vulnerability remediation isn't possible if you don't know what to remediate!
IT needs also needs to set priorities. Since vulnerability management isn't typically top priority, they need to figure out where it fits between keeping servers online and when's lunch break. It has to go somewhere in there. Using Flexera's Vulnerability Review 2018: Top Desktop Apps report, they can skim through the mountains of data to figure out which desktops apps they have are more susceptible and set a plan of attack.
Once an organization knows what applications are under their domain and knows what the top priorities are, it's then time to patch. If IT doesn't have a patching procedure in place yet, it does take some time to work with departments to define test systems and communicate potential downtime and reboots, but it'll become second nature eventually. There are dozens of applications that can patch both Microsoft Windows and other applications.
IT security is like backups to most operations people. You don't think much of it if you're none the wiser. But the moment you lose the CEO's email or a worm breaks out on the network, you're going to thank your lucky stars you and your team took the time to plan and implement some kind of automated solution.