HP Security Report: Misconfigured Software, A Huge Threat
HP's 2013 Security Research Cyber Risk Report focuses on several trends that have progressed last year including mobile device targeting, Java's Sandbox bypass vulnerabilities, and the problem of proper software configuration. Published every year since 2009, HP's Cyber Risk Report analyzes the state of cyber security through the year to address vulnerabilities and risks that have become apparent. For a different take on security in 2013, Tom's IT Pro published an article on the Online Trust Alliance's (OTA) data breach report yesterday.
[ CHECK OUT : 2013: The Year Of The Security Breach ]
"Adversaries today are more adept than ever and are collaborating more effectively to take advantage of vulnerabilities across an ever-expanding attack surface," according to Jacob West, chief technology officer of Enterprise Security Products at HP. " The industry must band together to proactively share security intelligence and tactics in order to disrupt malicious activities driven by the growing underground marketplace."
One of the most surprising findings of the report was the vulnerability due to incorrect configuration in 80% of software. According to the report, "Many vulnerabilities were related to server misconfiguration, improper file settings, sample content, outdated software versions, and other items related to insecure deployment." HP suggests software developers assign resources to auditing configuration in addition to code debugging.
Amongst software, Internet Explorer was the most targeted zero-day exploited application by the Zero Day Initiative (ZDI), making up more than 50% of the included vulnerabilities in the ZDI study.
The report also stated that Java's most common vulnerability is the security sandbox bypass. Attackers are targeting multiple vulnerabilities and using Java to more effectively compromise devices. HP suggests that organizations consider eliminating or reducing Java environments when they are not required.
Mobile security showed up more than once in the report, including how encryption is improperly used in 46% of iOS and Android apps. This is especially important to note as more end-users bring their own mobile devices for personal and business use.
Over the year there had been small disputes between Google and some antivirus vendors about how much malware was present on the Google Play Store on Android devices; antivirus companies say it was rampant and Google is refuting the statements. It turns out, that much of the dispute comes form a difference in definition. The antivirus companies may have been using analysis tools that were mistaking malicious software for ad-libraries. However, malicious software is certainly still present on Google Play and HP points out Google's responsibility in finding and removing harmful programs from the marketplace.
You can download HP's full 2013 Cyber Risk Report here.