Discover Performance

April 2013

Hackers target mobile platforms and older avenues

HP 2012 Cyber Risk Report: Critical vulnerabilities dipped slightly, but attackers still exploit well-trod vectors, as well as new ones.

The enterprise threat landscape changes rapidly. To create a sustainable defense strategy, organizations must track new trends and make sure they’ve internalized best practices on their older technologies. Above all, they must have the knowledge and organizational agility to adapt effectively.

With the HP 2012 Cyber Risk Report, HP Enterprise Security aims to provide that comprehensive knowledge, including an assessment of leading attack vectors, vulnerabilities, and strategic lapses within today’s enterprises. Here are some key findings from the new report:

Critical vulnerabilities declined slightly, but are still a significant source of risk

High-severity vulnerabilities made up 23 percent of the total vulnerabilities reported in 2011. In 2012, this number dropped slightly, to 20 percent. While this reduction is significant, the data shows that nearly one in five vulnerabilities can still allow attackers to gain total control of the target.

Old technologies can still be vulnerable

The Department of Homeland Security’s recent recommendation that everyone disable the Oracle Java SE platform shows that seemingly mature technologies still suffer from new exploits. In particular, 2012 data shows the number of vulnerabilities disclosed in Supervisory Control And Data Acquisition (SCADA) systems rose from 22 in 2008 to 191 in 2012 (a 768 percent increase). It’s a good reminder that placing a web front end on devices not originally intended to be web-connected can introduce security vulnerabilities in a range of industries unprepared to deal with the impact.

In addition, the first known cross-frame scripting (XFS) vulnerability was discovered more than 10 years ago, yet less than 1 percent of 100,000 tested URLs were using the best-known mitigation: the X-Frame-Options header. Cross-frame scripting is often a key component of phishing attacks.

Mobile vulnerabilities are rapidly increasing

It’s not only old technologies that are introducing new vulnerabilities. The explosion in mobile device use has prompted a corresponding rise in mobile application vulnerabilities. Over the last five years, there has been a 787 percent increase in the rate of mobile application vulnerability disclosure. New mobile technologies, such as near field communication, are also sources of potential security issues.

Testing of mobile applications also revealed the same types of mistakes that web developers have been making for years are now being seen in mobile applications. More than 77 percent of the tested applications were vulnerable to information leakage. It’s often a seemingly innocuous piece of information that can let an attacker escalate his methodology to conduct more damaging attacks. Just under half (48 percent) were susceptible to unauthorized-access vulnerabilities, which can be manipulated by an attacker to perform actions for which he is not authorized (privilege escalation, etc.).

Web applications remain a popular attack vector

A high percentage of web applications remain vulnerable to a variety of attack types. Of the six vulnerability types most frequently submitted from 2000 through 2012, four—SQL injection, cross-site scripting, cross-site request forgery, and remote file includes—primarily or exclusively occur via the web.

Cross-site scripting remains a key application threat

Multiple data sets confirm that cross-site scripting remains a widespread and prevalent issue. In a random sample of 200 applications, 44.5 percent were vulnerable to cross-site scripting. Testing of a targeted multinational corporation showed that 48 percent of its sites were vulnerable to some form of cross-site scripting. Furthermore, the research shows that new methods of leveraging this vulnerability continue to emerge. The top Zero Day Initiative vulnerability type of 2012 was cross-site scripting.

Although mobile platforms continue to be a leading growth area for vulnerabilities, mature technologies, and particularly web applications, are still significant sources of vulnerability. The full report provides a broad view of the enterprise security landscape, ranging from industry-wide data down to a focused look at different technologies, including web and mobile.

For more, read the HP 2012 Cyber Risk Report and visit HP Security Research.

back

Take the conversation further

Connect with your peers in our IT Strategy & Performance group on LinkedIn

Delivered to your inbox

Mobility 20/20

The Enterprise 20/20 crowd-sourced ebook turns to the transformational impact of mobility on the road to 2020.

Software technical network updates

Do you work in the IT trenches? Get articles, demos, discussions, and downloads for and by software practitioners.

Events

Conferences

Discover Las Vegas 2013

Register for HP’s premier event for inspiration from industry leaders, the HP inside scoop, and a deep dive into tomorrow’s enterprise IT trends. More

Webinars

Does IT matter when you’ve got cloud and SaaS?

In our second gloves-off CIO-CFO webcast, a CIO and CFO weigh in on how IT leaders can adapt to a SaaS era. (On demand) More

Your VP just resigned, what did he take with him?

See how proactively monitoring user activity can detect potential threats from employees before the damage occurs. More

Addressing the insider threat with security intelligence

Learn how your team’s ability to detect anomalies in the behavior of high-risk, high-profile, or high-privilege users will help to reduce insider threat and espionage risk. More

See all webinars

Tweets @ HPSecurity

Most read articles

Discover Performance

ebook download

Value streams: A user-centric model for the enterprise CIO

This free, original ebook—based on discussions with a group of HP’s Fortune 500 customers—strips out today’s jargon and buzzwords to help you reframe how IT can deliver value consistently in this new user-driven era, no matter how the technology evolves.

* Please fill in all required fields to start the eBook download.

Personal data

First name:*

Last name:*

E-mail address:*

Company:

Industry:

Open Form Selection -- Please choose --

Country:*

Open Form Selection -- Please choose --

Afghanistan
Africa
Åland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
AsiaPacific
Australia
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belgium
Belize
Benin
Bermuda
Bhutan
Bolivia
Bosnia and Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Canada
Cape Verde
Caribbean
Cayman Islands
Central African Republic
Central America
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Congo
Congo, The Democratic Republic of the
Cook Islands
Costa Rica
Côte d'Ivoire
Croatia
Cyprus
Czech Republic
Denmark
Djibouti
Dominica
Dominican Republic
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guinea
Guinea-Bissau
Guyana
Haiti
Heard Island and McDonald Islands
Holy See (Vatican City State)
Honduras
Hong Kong
Hungary
Iceland
India
Indonesia
Iraq
Ireland
Israel
Italy
Jamaica
Japan
Jordan
Kazakhstan
Kenya
Kiribati
Korea
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Libyan Arab Jamahiriya
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia, The Former Yugoslav Republic of
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States of
Middle East
Moldova, Republic of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Namibia
Nauru
Nepal
Netherlands
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Norway
Oman
Pakistan
Palau
Palestinian Territory
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russia
Rwanda
Saint Helena
Saint Kitts and Nevis
Saint Lucia
Saint Pierre and Miquelon
Saint Vincent and the Grenadines
Samoa
San Marino
Sao Tome and Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Singapore
Slovakia
Slovenia
Solomon Islands
Somalia
South Africa
South Georgia and the South Sandwich Islands
Spain
Sri Lanka
Suriname
Svalbard and Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania, United Republic of
Thailand
Timor-Leste
Togo
Tokelau
Tonga
Trinidad and Tobago
Tunisia
Turkey
Turkmenistan
Turks and Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United Kingdom
United States
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis and Futuna Islands
Western Sahara
Yemen
Zambia
Zimbabwe

Job title:*

Open Form Selection -- Please choose --

Number of employees:

Open Form Selection -- Please choose --

Go to download page

Value streams: A user-centric model for the enterprise CIO sets aside current trends and jargon to focus on how IT delivers value and makes the business better.

Download eBook (PDF-file, 300dpi, 3.7MB)

Leadership: CIO challenges for 2013 and beyond collects some of the best forward-looking articles, interviews and blog posts from Discover Performance.

Download eBook (PDF-file, 300dpi, 9.5MB)

Connect with HP

Online Communities

Discover Performance

April 2013

Hackers target mobile platforms and older avenues

Critical vulnerabilities declined slightly, but are still a significant source of risk

Old technologies can still be vulnerable

Mobile vulnerabilities are rapidly increasing

Web applications remain a popular attack vector

Cross-site scripting remains a key application threat

Most read articles

Popular tags

ebook download

Personal data