Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

44 percent of known breaches came from past vulnerabilities: HP

Zafirah Salim | March 31, 2015
Top ten vulnerabilities exploited in 2014 took advantage of known weaknesses in systems implemented years or even decades ago.

The threat landscape today is still heavily populated by old problems and known issues, even as the pace of the security world quickens, according to a 2015 HP Cyber Risk Report. In fact, almost half (44 percent) of known breaches were reported to come from vulnerabilities that are two to four years old.

According to the report, attackers continue to leverage well-known techniques to successfully compromise systems and networks. In fact, every one of the top ten vulnerabilities exploited in 2014 took advantage of code written years or even decades ago.

In addition, server misconfigurations were found to be the number one vulnerability. Over and above, vulnerabilities such as privacy and cookie security issues, server misconfigurations dominated the list of security concerns in 2014, providing adversaries unnecessary access to files that leave an organisation susceptible to an attack.

Additional avenues of attack were introduced via connected devices. Besides security issues presented via Internet of Things (IoT) devices, 2014 also saw an increase in the level of mobile malware detected. As the computing ecosystem continues to expand, unless enterprises take security into consideration, attackers will continue to find more points of entry.

Another key finding of the report revealed that the primary causes of commonly exploited software vulnerabilities are defects, bugs, and logic flaws. Most vulnerabilities stem from a relatively small number of common software programming errors. Old and new vulnerabilities in software are swiftly exploited by attackers.

Key recommendations

  • A comprehensive and timely patching strategy should be employed by network defenders to ensure systems are up-to-date with the latest security protections to reduce the likelihood of these attacks succeeding.
  • Regular penetration testing and verification of configurations by internal and external entities can identify configuration errors before attackers exploit them.
  • Mitigate risk being introduced to a network prior to the adoption of new technologies. With emerging technologies like Internet of Things (IoT), it is imperative for organisations to protect against potential security vulnerabilities by understanding new avenues of attack before they are exploited.
  • Collaboration and threat intelligence sharing is key to cooperatively addressing threats across the security industry. This enables organisations to gain insight into adversarial tactics, allowing for more proactive defense, strengthened protections offered in security solutions, and an overall safer environment.
  • Complementary protection strategy should be adopted with a continuous "assume-breach" mentality. There is no silver bullet solution, and defenders should implement a complementary, layered set of security tactics to ensure the best defense.

"Many of the biggest security risks are issues we've known about for decades, leaving organisations unnecessarily exposed," said Art Gilliland, Senior Vice President and General Manager, Enterprise Security Products, HP. "We can't lose sight of defending against these known vulnerabilities by entrusting security to the next silver bullet technology; rather, organizations must employ fundamental security tactics to address known vulnerabilities and in turn, eliminate significant amounts of risk."


Sign up for CIO Asia eNewsletters.