10:05 CET on the 13th October 2011 Entry written by Stefan Frei.
Welcome to the first in a series of blogs that will provide insights into the security and composition of end-users’ PCs.
The Secunia PSI is a free security scanning tool for private use which catalogues all installed programs and plug-ins to identify and notify the user about insecure programs. The Secunia PSI is an invaluable tool for you to use when assessing the security patch state of software installed on your system. The Secunia PSI has a continuously growing user base, which exceeded 4.25 million installations in September 2011. The Secunia PSI also provides unique information about the number and types of software typically installed on end-user PCs in the field, and the patch level of these users.
So, what can we learn when looking at one year’s worth of PSI data? For this blog post we analysed Secunia PSI scan data from September 2010 to September 2011 in order to provide high level global- and country-specific information and thus gain a useful snapshot of the profiles and behaviour of different end-user segments in relation to their software security. During this time the Secunia PSI user base rose from 1.47 million users to 4.25 million in more than 200 countries.
Users’ Software Portfolios Based on all Secunia PSI scans completed in the last 12 months, results showed that end-user PCs have on average 71.4 programs from 23.2 different vendors installed: namely 26.0 programs from Microsoft and 45.4 programs from third-party vendors. In other words, 36% of the programs installed on the average end-user PC are from Microsoft and 64% are from third-party vendors. Not only are the individual software portfolios extremely diverse; there are also significant differences in the software portfolios of different countries. Regarding the number of programs and vendors found on the end-points of various countries, end-users in Denmark have the least complex portfolios, whereas Italian end-users have the most complex. As shown in the table below, Danish users have on average 64.4 programs from 20.5 different vendors installed compared to the Italians, who have 77.5 programs from 24.5 vendors. Thus Italians have 13.1 more programs from 4.0 more vendors than the Danes.
Complexity is the worst enemy of security We have often reported in Secunia white papers and fact sheets that the complexity of keeping an end-point (or enterprise infrastructure) secure has an impact of the security level actually achieved. Thanks to data from the Secunia PSI we can measure this effect, and the results clearly support this notion.
The data of the 12 countries listed in the table clearly shows that the patch level of the Microsoft programs is consistently and considerably higher than the patch level of the third-party programs. This observation holds across all countries. On average, the patch level of Microsoft programs is more than 5% higher than the patch level of third-party programs.
The number of different vendors providing the programs in a software portfolio equals the number of different update mechanisms needed to keep an end-point secure. Thus, to keep an end-point secure the user can patch the operating system and all Microsoft programs (26.0 on average) with one single update mechanism, namely “Microsoft Update”. To patch the remaining third-party programs (45.4 on average) the user is required to master numerous additional (22.2 on average) and quite different update mechanisms.
The highest patch level in the country portfolios is found in Australia with 94.7%; and the lowest, 92.6%, is found in the Czech Republic – a difference of 2.1%. Most of the differences noted are due to the different patch levels in the third-party programs in these countries. In general, the variability of the patch-levels in Microsoft programs is much lower than the variability of the patch levels in the third-party programs. This indicates that the process of patching third-party programs is less mature compared to the process of patching Microsoft programs.
When reading these numbers from our Secunia PSI population, keep in mind that these users have installed and used a formidable tool to help them identify and patch insecure programs. Thus these numbers represent a best-case scenario. The patch level of the whole country population will be inferior.
This brings us to the end of this first blog. I hope you found the information interesting, particularly in relation to where your country ranks on the end-point security scale. Next time we will look at the origin of vulnerabilities in users’ portfolios.
Stefan Frei, Research Analyst Director
Discuss this blog entry
A new thread in our forum is created. Activate the thread by
Subject: Secunia PSI: Country-specific statistics
No posts yet
You must be logged in to post a comment.
Secunia Customer Login
Not a customer already?
Learn more about how our market leading Vulnerability Management solutions can help you manage risk and ensure compliance.