The proliferation of unsupported or unauthorized products is an issue for many organizations and increases the effort required to minimize risk. The challenge is that legacy tools and approaches have not kept pace as the attack surface has evolved. To help address this, Tenable pioneered Cyber Exposure, a new discipline that helps organizations manage and measure their cyber risk across traditional and non-traditional assets.
As applications reach their end-of-life (EOL), vendors stop offering support. As patches and updates are released for new versions of software, unsupported versions will be left out, opening the business up to elevated cyber risk. Essentially zero-day vulnerabilities could be in effect for applications that are no longer supported, leaving security gaps that attackers may exploit. Therefore, security and stability decrease, raising concern as time progresses.
The Center for Internet Security (CIS) [https://www.cisecurity.org/contols] provides a list of top 20 security controls, the CIS Controls. Control 2 identifies risks associated with unauthorized software. Identifying unauthorized software is critical to help secure the environment. Unauthorized software may contain vulnerabilities, be exploitable by malware, and may reduce productivity because there is no vendor support. Potentially copyrighted, counterfeit, or unlicensed materials can put an organization at risk for legal action.
Tenable.io is the first solution in Cyber Exposure that provides the key risk metrics that businesses need to measure risk exposures. Understanding Cyber Exposure will help Security Directors and Risk Managers drive a new level of dialogue with the business. Understanding the cyber risk levels associated with the different business components, enables risk managers to more effectively compare, measure, and address the organization's total cyber risk. As business leaders understand where to invest resources to reduce the risk, they will be able to more effectively drive strategic decisions. When using this report, system administrators will have the information to discover, analyze, and remove unauthorized or unsupported applications.
Executive Summary - The Executive Summary provides an overview of the two chapters of this report. Each chapter is summarized with a chart, which displays details of the unsupported and unauthorized products along with severity information. A table displays unsupported and unauthorized software, along with the count (number of identified products) that were found in the environment.
Unsupported Software - The Unsupported Software chapter provides details on Windows software that is no longer supported by the vendor. Systems running unsupported software are more vulnerable to exploitation.
Unauthorized Software - The Unauthorized Software chapter provides details on Windows software that has been identified by organizational policy to be unauthorized. Systems running unauthorized software may introduce viruses and malware, and may also reduce productivity. Potentially copyrighted, counterfeit, or unlicensed materials can put an organization at risk for legal action.