As the global economy continues its recovery, enterprises have continued to find inexpensive access to capital; unfortunately, network attackers did as well, some of whom launched remarkably determined and formidable attacks over the course of the year.
In that context, the 2015 edition of HP’s annual security research Cyber Risk details a threat landscape that is still heavily populated by old problems and known issues, even as the pace of the security world quickens.
The Cyber Risk Report 2015, drawn from innovative work by HP Security Research (HPSR), covers multiple focus areas. It examines both the nature of currently prevalent vulnerabilities that leave organizations open to risk, and how adversaries take advantage of those vulnerabilities.
Some of the key findings in the 2015 report are:
Well-known attacks are still commonplace:
Attackers continue to leverage well-known techniques to successfully compromise systems and networks. Many vulnerabilities exploited in 2014 took advantage of code written many years back; some are even decades old. Adversaries continue to leverage these classic avenues for attack.
Newer technologies introduce new avenues of attack:
As new technologies are introduced into the computing ecosystem, they bring with them new attack surfaces and security challenges. 2014 saw a rise in already prevalent mobile-malware levels. Even though the first malware for mobile devices was discovered a decade ago, 2014 was the year in which mobile malware stopped being considered just a novelty. Connecting existing technologies to the Internet also bring a new set of exposures. Point-of-sale (PoS) systems were a primary target of multiple pieces of malware in 2014. As physical devices become connected through the Internet of Things (IoT)—a paradigm that brings ubiquitous computing and its security implications closer to the average person—the diverse nature of these technologies gave rise to concerns regarding security and privacy. To help protect against new avenues of attack, enterprises should understand and know how to mitigate the risk being introduced to a network prior to the adoption of new technologies.
Secure coding continues to pose challenges:
The primary causes of commonly exploited software vulnerabilities are consistently defects, bugs, and logic flaws. Cyber security research professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors. Much has been written to guide software developers on how to integrate best secure-coding practices into their daily development work. Despite all of this knowledge, HP continues to see old and new vulnerabilities in software. These are, in turn, swiftly exploited by attackers. It may be challenging, but it is long past the time that software development is synonymous with secure software development. While it may never be possible to eliminate all code defects, a properly implemented secure development process can lessen the impact and frequency of such bugs.
Complementary protection technologies fill out coverage:
Studies show that antimalware software catches only about half of all cyberattacks—a truly abysmal rate. In Hp review of the 2014 threat landscape, it has found that enterprises most successful in securing their environment employ complementary protection technologies. These technologies work best when paired with a mentality that assumes a breach will occur, instead of one that only aims to prevent intrusions and compromise. By using all tools available and not relying on a single product or service, defenders place themselves in a better position to prevent, detect, and recover from attacks.
In return, software vendors continue to make it more difficult for attackers with the implementation of security mitigations. However, these mitigations are not enough when they are built on inherently vulnerable legacy code.
On multiple occasions in 2014, high-profile vulnerabilities were discovered that left enterprises scrambling to deploy patches and clean up compromised machines: Heartbleed vulnerability highlighted how unprepared we were for this type of event. Due to the severity and active exploitation of the vulnerability, corporations were forced to respond quickly, and to patch servers that were not routinely patched. The issue existed in an application library that did not have a clear update path, further complicating efforts; enterprises did not have a solid understanding of which applications were using this library and where it was located inside their networks.
2014 was also a significant year for mobile malware, not least because it finally entered the general consciousness as a genuine threat. While the majority of Android malware discovered in 2014 was found outside of the GoogleTM Play market, there have been instances when malware was placed there by maliciously created developer accounts.
In conclusion, with the fact where more and more people and devices are connected to the Internet, greater focus must be placed on security and privacy. The past year saw the manifestation of several vulnerabilities that gathered a storm of media attention. With increased collaboration and a thorough understanding of the imminent threats, specialists can continue to increase the both physical and intellectual costs an attacker must accept to successfully exploit a system.