Skip to main content
Security Posture Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

Desktop Software Finding Messages

Ingrid

The Desktop Software Risk Vector is graded by evaluating the software version of desktop devices against the latest supported versions. Both the operating system (OS) and browser are graded independently. If either is unsupported or out of date, it negatively impacts the grade.

Proactive Best Practices for Remediating Desktop Software Findings

  • Identify and update unsupported desktop software to current versions.
  • Implement auto-updates for critical software.
  • Use device management systems and human oversight to ensure patching and software currency.

Risks of not remediating Desktop Software Findings

Modern operating systems and browsers address vulnerabilities and bugs found in older versions. Cybercriminals often exploit these known flaws to deploy malware or steal data. Consequently, using unsupported software is strongly linked to higher infection rates and an increased risk of security breaches.

  • If there are unsupported desktop devices in an organization's network, there is a greater risk of:
    • System failure (vendor devices are not being maintained).
    • Disruption of business continuity.
    • Attackers may be able to use unpatched vulnerabilities to gain system access.
  • Connecting a personal device to corporate network infrastructure adds a potential surface of attack for a threat actor to gain access to company data and sensitive information.

The 28-Day Grace Period

We understand that updating systems takes time. There is a 28-day grace period to allow for validating and updating software packages.

  • During this 28-day window, findings are issued a FAIR grade and do not negatively impact your rating.
  • If the software remains unpatched after the grace period ends, but it is still less than 365 days after the software's end-of-support date, the finding will drop to a WARN grade.
  • Older unsupported software eventually drops to a BAD grade.

Common Findings & How to Remediate Them

Support Status Indicators Key:

  • ❗Undetermined: Either there’s no version available, the finding cannot be identified, or both the OS and browser are unknown. The finding is evaluated as NEUTRAL.
  • ❓Unknown: When either the OS or browser has been evaluated and the other is unknown. The finding is graded as the available grade.

Depending on the combination of your OS and browser, you will see different finding messages. Here is how to resolve the most common scenarios:

1. Supported Operating Systems

  • Supported OS + Supported Browser: Both the OS and browser are fully supported.
    • Grade: GOOD
    • Remediation: N/A.
  • Supported OS + Unknown Browser: The OS is supported, but the browser could not be recognized.
    • Grade: Evaluated based on OS status.
    • Remediation: If obfuscation is unintentional, ensure users use approved applications to allow for proper analysis.
  • Supported OS + Unsupported Browser: The OS is supported, but the browser version is out of date.
    • Grade: FAIR, WARN, or BAD (based on the browser's support age).
    • Remediation: Ensure the latest version of the browser for that operating system is installed.

2. Unsupported Operating Systems

  • Unsupported OS + Supported Browser: The OS is not supported, even if the browser is the latest version available for that OS.
    • Grade: FAIR, WARN, or BAD (based on the OS support age).
    • Remediation: Ensure the latest version of the operating system is installed, then update to the latest supported browser.
  • Unsupported OS + Unsupported Browser: Neither the operating system nor the browser is supported.
    • Grade: FAIR, WARN, or BAD (based on the lowest grade of either component).
    • Remediation: Upgrade to a supported operating system immediately, then install a supported browser.
  • Unsupported OS + Unknown Browser: The OS is unsupported and the browser status is unknown.
    • Grade: FAIR, WARN, or BAD (based on the OS status).
    • Remediation: Upgrade the operating system to a supported version.

3. Unknown or Undetermined Systems

  • Undetermined OS + Undetermined Browser: Versions for both the OS and browser could not be determined.
    • Grade: NEUTRAL
    • Remediation: If obfuscation is intentional, ensure an update strategy is in place for all systems.
  • Unknown OS + Unknown Browser: Details for both the OS and browser were not recognized.
    • Grade: NEUTRAL
    • Remediation: Verify that systems are reporting version data correctly to allow for security analysis.
  • Unknown OS + Supported Browser: The OS is unknown (no penalty), and the browser is supported.
    • Grade: GOOD

Remediation: Ensure an operating system update strategy is in place.

  • October 11, 2023: FAIR finding behavior allows 28 days for validating and updating software.
  • September 12, 2023: Separated Mobile Software to its own page.
  • July 18, 2023: Published.

Related to

Was this article helpful?
0 out of 0 found this helpful
Return to top

Related articles

Feedback

0 comments

Please sign in to leave a comment.