HP has published the Cyber Risk Report 2013, an annual study that identifies top enterprise security vulnerabilities and analyzes the expanding threat landscape.
Developed by HP Security Research, this year's report lists the factors that most contributed to the growing attack surface in 2013 — increased reliance on mobile devices, proliferation of insecure software and the increasing use of Java — and points out ways for organizations to minimize the security risk and the impact of attacks on their structures.
"Adversaries today are more skilled than ever and are working collaboratively to take advantage of vulnerabilities on an ever-growing attack surface," said Jacob West, chief technology officer, Enterprise Security Products, HP. “It is important for the industry to come together to proactively share intelligence and security tactics to thwart coordinated criminal actions by the growing black market in attacks.”
Highlights and main results of the report
- While vulnerability surveys continue to gain attention, the total number of publicly disclosed vulnerabilities has decreased by 6% each year and the number of high severity vulnerabilities has decreased for the fourth consecutive year, by 9%. While not quantifiable, the decline could be an indication of a spike in breaches that go undisclosed being delivered directly to the black market for private and/or harmful consumption.
- About 80% of the analyzed applications contained vulnerabilities that pointed outside their source code. Even carefully coded software can be dangerously vulnerable if misconfigured.
- Inconsistent and varied definitions of “malware” complicate risk analysis. In an analysis of more than 500,000 Android mobile apps, HP found fundamental discrepancies in how antivirus engines and mobile platform vendors classify malware.
- 46%(2) of the studied mobile applications use cryptography incorrectly. HP research shows that application developers either fail to use encryption when storing sensitive data on mobile devices, rely on weak algorithms to do so, or misuse encryption capabilities, making it ineffective.
- Internet Explorer was the primary focus of vulnerability researchers for the HP Zero Day Initiative (ZDI) in 2013 and accounted for more than 50% of the vulnerabilities recorded by the initiative. This attention stems from market forces focusing researchers on Microsoft vulnerabilities and does not reflect the overall security of Internet Explorer.
- Sandbox bypass vulnerabilities were the most prevalent and damaging to Java users.(2) Adversaries have significantly scaled their exploitation of Java by simultaneously targeting several known vulnerabilities in blended attacks to compromise specific targets of interest.
Main recommendations
- In today's world, with increasing cyber-attacks and demand for secure software, it is critical to eliminate opportunities to unintentionally reveal information that could be of benefit to attackers.
- Organizations and developers together must be aware of security pitfalls in frameworks and other external code, especially on hybrid mobile development platforms. Robust security guidelines must be put in place to protect the integrity of applications and the privacy of users.
- While it's impossible to eliminate the attack surface without sacrificing functionality, a combination of the right people, technology and processes allows organizations to effectively minimize vulnerabilities around this area, dramatically reducing overall risk.
- Collaboration and sharing of threat intelligence across the security industry helps provide visibility into adversary tactics, enabling more proactive defense and strengthening protections offered in security solutions, thus creating an overall safer environment.
EN 
PT 
