- November 27, 2023: Clarification on low or no findings.
- November 10, 2023: Linked to finding messages.
- August 16, 2023: New Grading & Finding Behavior sections.
The Desktop Software risk vector looks at a desktop device’s software version and compares it with the latest and currently available software versions to determine if the device software is supported or out-of-date.
Desktop devices are laptops, servers, and other non-tablet, non-phone computers in a company's network that access the Internet. The outgoing communications from desktop devices includes metadata about the device's operating system and browser version (endpoint data).
Newer versions of operating systems and web browsers typically fix stability issues, bugs, and vulnerabilities that existed in older versions. Bad actors frequently exploit known bugs in older software versions to steal information or run malicious software. The use of unsupported operating systems and browsers is correlated with the presence of a high number of malware infections and an increased likelihood of breach.
- If there are unsupported desktop devices in an organization's network, there is a greater risk of:
- System failure (vendor devices are not being maintained).
- Disruption of business continuity.
- Attackers may be able to use unpatched vulnerabilities to gain system access.
- Connecting a personal device to a corporate network infrastructure adds a potential surface of attack for a threat actor to gain access to company data and sensitive information.
See how the Desktop Software risk vector is graded in more detail.
|Number of Findings: Low or None||
Due to user usage patterns, this risk vector can have some volatility in the number of findings. To ensure fairness in grading, there is a 65-days buffer to limit changes to the letter grade due to this volatility.
Finding visibility is considered low if:
This N/A grade has no negative impact on the rating.
(Out of 70.5% in Diligence)
- Search and identify unsupported desktop software, and then update the software to the latest version.
- Set up auto-update methods for critical desktop software.
- Insufficient information prevents Bitsight from identifying unsupported software. The use of software device management systems is recommended, along with integrating human processes that ensures systems in the organization are patched and the software is up-to-date.
Automated: Not applicable.
User-Requested: User-requested refresh not available.