Yes, there is more awareness of security and the inevitability of an attack, but enterprises still remain vulnerable to all manner of cyber assaults, a new report said.
Configuration issues and widespread use of antiquated technologies are among the main threats to large organizations, said Hewlett-Packard in the latest installment of its annual Cyber Risk Report.
“Adversaries today are more adept than ever and are collaborating more effectively to take advantage of vulnerabilities across an ever-expanding attack surface,” said Jacob West the CTO of Enterprise Security Products at HP. “The industry must band together to proactively share security intelligence and tactics in order to disrupt malicious activities driven by the growing underground marketplace.”
HP saw the number of published exploits fall six percent in 2013 compared with the prior 12 months, while vulnerabilities labeled “high-severity” decreased nine percent for the fourth consecutive year.
The decline may be an indication as to a surge in vulnerabilities not publicly disclosed, but instead delivered to the black market for private and/or nefarious consumption.
In addition, nearly 80 percent of applications reviewed contained vulnerabilities rooted outside their source code. Even expertly coded software can be dangerously vulnerable if misconfigured, according to the report.
Also, there are inconsistent and varying definitions of “malware” complicate risk analysis. In an examination of more than 500,000 mobile applications for Android, HP found discrepancies between how antivirus engines and mobile platform vendors classify malware.
The company found 46 percent of Android and iOS apps either don’t encrypt sensitive information stored locally, rely on weak algorithms to do so, or fail to properly implement data protection.
On the browser front, HP reported Internet Explorer accounted for more than 50 percent of vulnerabilities discovered as part of its Zero Day Initiative. Also, sandbox bypass vulnerabilities were the most prevalent and damaging for Java users, especially when hackers used multiple known vulnerabilities in combined attacks.
The company recommends organizations keep close track of the threat landscape, particularly vulnerabilities in hybrid mobile development platforms, and strive for a “combination of the right people, processes and technology” to mitigate security risks.