Good news and bad as the enterprise threat landscape evolves
Technology giant HP has released its Cyber Risk Report 2013 which highlights the top enterprise vulnerabilities.
The report also offers an analysis of the current threat landscape, pointing out increased reliance on mobile devices, the spread of insecure software and the growing use of Java as adding to a growing "attack surface".
On a positive note the total number of disclosed vulnerabilities is down six percent over the previous 12 months and the number of high-severity vulnerabilities is down for the fourth consecutive year.
It's not all good news though, other key findings include the fact that 80 percent of applications reviewed contain vulnerabilities outside their source code. Plus 74 percent of applications had unnecessary permissions. This shows that even good applications can be vulnerable if wrongly configured.
Of the mobile applications studied 56 percent use encryption improperly. The research shows that mobile developers often fail to use encryption when storing sensitive data, rely on weak algorithms to do so, or misuse stronger encryption capabilities, rendering them ineffective.
It also finds that inconsistent malware definitions complicate risk analysis. HP examined more than half a million Android apps and found major discrepancies in how antivirus engines and platform vendors classified malware.
Sandbox bypass vulnerabilities were most common for Java users. Attackers have stepped up their Java attacks by exploiting multiple known and zero day vulnerabilities in combined attacks to compromise specific targets.
HP’s Zero Day Initiative, aimed at rewarding responsible researchers for disclosing vulnerabilities, uncovered more vulnerabilities with Internet Explorer than any other software. However, the report notes that this is a result of market forces focusing researchers on Microsoft vulnerabilities and doesn’t reflect on the overall security of Internet Explorer.
"Adversaries today are more adept than ever and are collaborating more effectively to take advantage of vulnerabilities across an ever-expanding attack surface," says Jacob West, chief technology officer, Enterprise Security Products at HP. "The industry must band together to proactively share security intelligence and tactics in order to disrupt malicious activities driven by the growing underground marketplace".
The report recommends that businesses must stay in touch with the latest security risks, particularly for mobile devices, and that robust security procedures must be put in place to protect data and privacy. This includes eliminating opportunities for unintentionally revealing information that may be useful to hackers.
While it's impossible to eliminate all attacks without sacrificing functionality, HP says that a combination of the right people, processes and technology does allow organizations to effectively minimize vulnerabilities and dramatically reduce overall risk. Collaboration and sharing of intelligence among the security industry also helps to strengthen protection and create a safe environment.
The full report and recommendations are available to download from the HP website.