Discover PerformanceHP Software's community for IT leaders // April 2013
Hackers target mobile platforms and older avenues
HP 2012 Cyber Risk Report: Critical vulnerabilities dipped slightly, but attackers still exploit well-trod vectors, as well as new ones.
The enterprise threat landscape changes rapidly. To create a sustainable defense strategy, organizations must track new trends and make sure they’ve internalized best practices on their older technologies. Above all, they must have the knowledge and organizational agility to adapt effectively.
With the HP 2012 Cyber Risk Report, HP Enterprise Security aims to provide that comprehensive knowledge, including an assessment of leading attack vectors, vulnerabilities, and strategic lapses within today’s enterprises. Here are some key findings from the new report:
Critical vulnerabilities declined slightly, but are still a significant source of risk
High-severity vulnerabilities made up 23 percent of the total vulnerabilities reported in 2011. In 2012, this number dropped slightly, to 20 percent. While this reduction is significant, the data shows that nearly one in five vulnerabilities can still allow attackers to gain total control of the target.
Old technologies can still be vulnerable
The Department of Homeland Security’s recent recommendation that everyone disable the Oracle Java SE platform shows that seemingly mature technologies still suffer from new exploits. In particular, 2012 data shows the number of vulnerabilities disclosed in Supervisory Control And Data Acquisition (SCADA) systems rose from 22 in 2008 to 191 in 2012 (a 768 percent increase). It’s a good reminder that placing a web front end on devices not originally intended to be web-connected can introduce security vulnerabilities in a range of industries unprepared to deal with the impact.
In addition, the first known cross-frame scripting (XFS) vulnerability was discovered more than 10 years ago, yet less than 1 percent of 100,000 tested URLs were using the best-known mitigation: the X-Frame-Options header. Cross-frame scripting is often a key component of phishing attacks.
Mobile vulnerabilities are rapidly increasing
It’s not only old technologies that are introducing new vulnerabilities. The explosion in mobile device use has prompted a corresponding rise in mobile application vulnerabilities. Over the last five years, there has been a 787 percent increase in the rate of mobile application vulnerability disclosure. New mobile technologies, such as near field communication, are also sources of potential security issues.
Testing of mobile applications also revealed the same types of mistakes that web developers have been making for years are now being seen in mobile applications. More than 77 percent of the tested applications were vulnerable to information leakage. It’s often a seemingly innocuous piece of information that can let an attacker escalate his methodology to conduct more damaging attacks. Just under half (48 percent) were susceptible to unauthorized-access vulnerabilities, which can be manipulated by an attacker to perform actions for which he is not authorized (privilege escalation, etc.).
Web applications remain a popular attack vector
A high percentage of web applications remain vulnerable to a variety of attack types. Of the six vulnerability types most frequently submitted from 2000 through 2012, four—SQL injection, cross-site scripting, cross-site request forgery, and remote file includes—primarily or exclusively occur via the web.
Cross-site scripting remains a key application threat
Multiple data sets confirm that cross-site scripting remains a widespread and prevalent issue. In a random sample of 200 applications, 44.5 percent were vulnerable to cross-site scripting. Testing of a targeted multinational corporation showed that 48 percent of its sites were vulnerable to some form of cross-site scripting. Furthermore, the research shows that new methods of leveraging this vulnerability continue to emerge. The top Zero Day Initiative vulnerability type of 2012 was cross-site scripting.
Although mobile platforms continue to be a leading growth area for vulnerabilities, mature technologies, and particularly web applications, are still significant sources of vulnerability. The full report provides a broad view of the enterprise security landscape, ranging from industry-wide data down to a focused look at different technologies, including web and mobile.