Discover Performance

HP Software's community for IT leaders // March 2013
Subscribe

Hackers target mobile platforms and older avenues

HP 2012 Cyber Risk Report: Critical vulnerabilities dipped slightly, but attackers still exploit well-trod vectors, as well as new ones.

The enterprise threat landscape changes rapidly. To create a sustainable defense strategy, organizations must track new trends and make sure they’ve internalized best practices on their older technologies. Above all, they must have the knowledge and organizational agility to adapt effectively.

With the HP 2012 Cyber Risk Report, HP Enterprise Security aims to provide that comprehensive knowledge, including an assessment of leading attack vectors, vulnerabilities, and strategic lapses within today’s enterprises. Here are some key findings from the new report:

Critical vulnerabilities declined slightly, but are still a significant source of risk

High-severity vulnerabilities made up 23 percent of the total vulnerabilities reported in 2011. In 2012, this number dropped slightly, to 20 percent. While this reduction is significant, the data shows that nearly one in five vulnerabilities can still allow attackers to gain total control of the target.

Old technologies can still be vulnerable

The Department of Homeland Security’s recent recommendation that everyone disable the Oracle Java SE platform shows that seemingly mature technologies still suffer from new exploits. In particular, 2012 data shows the number of vulnerabilities disclosed in Supervisory Control And Data Acquisition (SCADA) systems rose from 22 in 2008 to 191 in 2012 (a 768 percent increase). It’s a good reminder that placing a web front end on devices not originally intended to be web-connected can introduce security vulnerabilities in a range of industries unprepared to deal with the impact.

In addition, the first known cross-frame scripting (XFS) vulnerability was discovered more than 10 years ago, yet less than 1 percent of 100,000 tested URLs were using the best-known mitigation: the X-Frame-Options header. Cross-frame scripting is often a key component of phishing attacks.

Mobile vulnerabilities are rapidly increasing

It’s not only old technologies that are introducing new vulnerabilities. The explosion in mobile device use has prompted a corresponding rise in mobile application vulnerabilities. Over the last five years, there has been a 787 percent increase in the rate of mobile application vulnerability disclosure. New mobile technologies, such as near field communication, are also sources of potential security issues.

Testing of mobile applications also revealed the same types of mistakes that web developers have been making for years are now being seen in mobile applications. More than 77 percent of the tested applications were vulnerable to information leakage. It’s often a seemingly innocuous piece of information that can let an attacker escalate his methodology to conduct more damaging attacks. Just under half (48 percent) were susceptible to unauthorized-access vulnerabilities, which can be manipulated by an attacker to perform actions for which he is not authorized (privilege escalation, etc.).

Web applications remain a popular attack vector

A high percentage of web applications remain vulnerable to a variety of attack types. Of the six vulnerability types most frequently submitted from 2000 through 2012, four—SQL injection, cross-site scripting, cross-site request forgery, and remote file includes—primarily or exclusively occur via the web.

Cross-site scripting remains a key application threat

Multiple data sets confirm that cross-site scripting remains a widespread and prevalent issue. In a random sample of 200 applications, 44.5 percent were vulnerable to cross-site scripting. Testing of a targeted multinational corporation showed that 48 percent of its sites were vulnerable to some form of cross-site scripting. Furthermore, the research shows that new methods of leveraging this vulnerability continue to emerge. The top Zero Day Initiative vulnerability type of 2012 was cross-site scripting.

Although mobile platforms continue to be a leading growth area for vulnerabilities, mature technologies, and particularly web applications, are still significant sources of vulnerability. The full report provides a broad view of the enterprise security landscape, ranging from industry-wide data down to a focused look at different technologies, including web and mobile.

For more, read the HP 2012 Cyber Risk Report and visit HP Security Research.


x

IT leader assessment

This tool evaluates the correlation between IT attributes and business success and, based on how your answers compare with average scores, will advise you where to invest in IT.

It is based on data HP collected from 650 global companies about a range of IT characteristics (server capacities, approach to information management, security, BYOD, etc.) and how they correlate to revenue gain. This assessment will compare your answers to the average scores in that study.

There are 12 questions that will require an estimated 10 minutes of your time. You'll receive a summary of your rating upon completion.



Let's get started
x

Please select an answer.
x

Analysis:

Your answer:
Your score:
Average score:
Revenue leaders' score:


x

Please select an answer.


x

Results

Your score:
Average score:
Revenue leaders' score:


Get detailed results:

Subscribe

Popular tags

Events

Discover Performance Weekly

HP Software’s Paul Muller hosts a weekly video digging into the hottest IT issues. Check out the latest episode.


Enterprise 20/20

Security 20/20

Preparing today for tomorrow’s threats.

Introduction to Enterprise 20/20

What will a successful enterprise look like in the future?

CIO 20/20

Challenges and opportunities for the CIO of the future.

Dev Center 20/20

How will we organize development centers for the apps that will power our enterprises?

Marketing 20/20

Welcome to a new reality of split-second decisions and marketing by the numbers.

IT Operations 20/20

How can you achieve the data center of the future?

Employee 20/20

What the workforce of 2020 can expect from IT, and what IT can expect from the workforce.

Mobility 20/20

Looking toward the era when everyone — and everything — is connected.

Data Center 20/20

The innovation and revenue engine of the enterprise.

Read more

HP Software related

Most read articles

Discover Performance

Archive

Tweets @ HPSecurity