HP Report on Cyber Risks: An AnalysisExperts Offer Insights on Mitigating Vulnerabilities
Multiple vulnerabilities in products and programs that were years old, misconfiguration of core technologies, new avenues of attack, software vulnerabilities around coding discrepancies and rising mobile malware are among the top challenges plaguing Asia Pacific and Japan's security leaders.
Those are among the findings in Hewlett Packard's new Cyber Risk Report 2015, which provides a broad view of the 2014 threat landscape, from industrywide data down to a focused look at technologies, including open source, mobile and the Internet of Things.
HP's cybersecurity research team has expanded over the past year, and so has its risk report, covering familiar topics in greater depth and adding allied issues, including privacy and big data, among others.
The reports says CISOs and other security practitioners must ready themselves for greater scrutiny in 2015 because threat actors - encouraged by public attention - will continue to disrupt and capitalize on bugs and defects.
"Many of the biggest security risks have been known about for decades, leaving organizations unnecessarily exposed," said Jyoti Prakash, country director, India and SAARC countries, HP Enterprise Security Products. "We can't lose sight of defending against these known vulnerabilities by entrusting security to the next silver bullet technology. Rather, organizations must employ fundamental security tactics to address known vulnerabilities and, in turn, eliminate significant risk."
Information Security Media Group sought comments from security practitioners about how CISOs must tackle these these challenges and mitigate risks.
"Most vulnerabilities - Web-based, mobile, coding discrepancies or others - occur due to lack of awareness among employees and are majorly influenced by the organization's culture," says Pune-based Sharat Airani, director of IT and CISO at Intellinet Datasys Pvt.Ltd. "Most enterprises often ignore threats from internal teams and external suppliers with easy access to information, especially financial audits which give access to critical data."
APJ security practitioners surveyed for the report say that 44 percent of known breaches came from vulnerabilities that are 2 to 4 years old. And every one of the top 10 vulnerabilities exploited in 2014 took advantage of code written years or even decades ago.
Server misconfigurations were the No. 1 vulnerability, Prakash says. Besides such vulnerabilities as privacy and cookie security issues, server misconfigurations dominated security concerns in 2014, providing unnecessary access to files that left organizations susceptible.
The study found additional attack avenues introduced via connected devices. Prakash says besides security issues presented by IoT devices, 2014 saw an increase in the level of mobile malware detected. As the computing ecosystem expands, attackers will find more entry points.
"The black hats are continually trying to create new attacks that can slip by security defences, and the white hats continually update security techniques to nab new attacks," he says. "Creating a new type of malware means much work, so variants of known malware that evade traditional anti-malware security techniques are created."
Experts underscore the challenge of secure coding; the report confirms the lack of alignment between security teams and coders.
The report says the primary causes of software vulnerabilities are defects, bugs and logic flaws. Security professionals have discovered that most vulnerabilities stem from a small number of common software programming errors.
"The old and new vulnerabilities in software continue, which attackers swiftly exploit," Prakash says.
Experts say that while it may never be possible to eliminate all code defects, a properly implemented secure development process lessens the impact and frequency of such bugs.
Maurya notes that new bugs in applications and codes bring security concerns because they tunnel through trusted ports, use proprietary encryption algorithms and even masquerade as other applications to evade detection and blocking by firewalls. "This makes it easier to transfer digital information undetected and unimpeded from inside an enterprise network, and for a new generation of threats to breach traditional network firewalls."
Handling Server Misconfigurations
The report documented several vulnerabilities were related to server misconfiguration. Surprisingly, server misconfiguration was the No. 1 issue across all analysed applications.
The study indicated that access to unnecessary files and directories seems to dominate misconfiguration-related issues. The information disclosed to attackers through these misconfigurations provided additional avenues of attack, giving attackers the knowledge needed to ensure their other methods of attack succeeded.
One of the reasons for such misconfigurations is a bad patch management strategy, allowing easy entry into the network.
Chennai-based Dr. B Muthukumaran, head of security training at HTC global, says loopholes in server configurations may be due to lack of an effective security policy or framework. "Server installations must be validated with unconventional testing - we don't have the workforce or skills to write our own misconfiguration validation tools - before release for production," Muthukumaran says.
Experts say regular penetration testing and verification of configurations by internal and external entities can identify configuration errors before attackers exploit them.
Bengaluru-based K N Swaminathan, vice president, information security, at TVS Motors, recommends that OEMs share a comprehensive document for complete and correct configuration and an external audit to further fortify it.
A Holistic Approach to Security
Rather than taking a piecemeal approach, security leaders recommend a holistic approach to security, which can create a secure culture within the organization.
Muthukumaran also suggests a change in how organizations recruit staff. Besides focusing on technical qualifications of the candidate, it is also important to understand the personal conduct and ethics of the job applicant, he says.
"Only continuous education, training, periodic audits by experts and implementing their recommendations can bridge the vulnerabilities," Swaminathan says.
Prakash adds: "Collaboration and threat intelligence sharing is key, enabling organizations to gain insights into adversarial tactics, allowing for more proactive defence, strengthened protection offered in security solutions and a safer environment."