HP research identifies new era of security risk, shifting vulnerability landscape

Apr 24, 2012

HP today published the 2011 Top Cyber Security Risks Report, which identifies the growing sophistication and severity of security attacks and the resulting risks.

The report provides the information to help enterprises and governments understand the threat landscape and assess their posture.

The report also indicates that motivations are continuously changing due to the growing presence of “hacktivist” groups, such as Anonymous and LulzSec, which perform highly organized attacks in retaliation for perceived wrongdoing. In addition to changing motivation, advances in attack techniques have led to the increased “success” rate of security breaches. As a result, enterprises and governments are faced with new challenges in assessing and remediating risks.

Historically, the number of vulnerabilities disclosed in a year indicated the current state of the security industry and helped organizations prioritize their defenses. According to the report, pure vulnerability volume is no longer a valid indicator of the security risk landscape. While newly reported vulnerabilities in commercial applications continue to decline, a large number of vulnerabilities are unaccounted for, and are therefore undisclosed to the broader security industry.
 
“To protect organizations against a wide range of attacks, HP has established a global network of security researchers who look for vulnerabilities that were not publicly disclosed,” said Michael Callahan, vice president, Worldwide Product and Solution Marketing, Enterprise Security Products, HP. “The intelligence gained from this research group is built into HP enterprise security solutions in an effort to proactively reduce risk.” 

Shifting vulnerability landscape

Disclosure of new vulnerabilities in commercial applications has slowly declined since 2006, dropping nearly 20 percent in 2011 from the previous year. However, data from the report demonstrates that this decline does not signify decreased risk.

This decline is due to several factors, including the advent of a private market for sharing vulnerabilities. In addition, the proliferation of custom-built web applications, such as retail web sites, has created a market for unique vulnerability exploits that require advanced expertise to locate and address.

Key findings from the report include:

-- Although vulnerability reports have declined, attacks on web applications have more than doubled as measured by HP TippingPoint Intrusion Prevention Systems (IPS) in the second half of 2011.

-- Nearly 24 percent of new vulnerabilities disclosed in commercial applications in 2011 have a severity rating of 8 to 10. These vulnerabilities can result in a remote code execution, the most dangerous type of attack.

-- Roughly 36 percent of all vulnerabilities are in commercial web applications.

-- Approximately 86 percent of web applications are vulnerable to an injection attack, which is when hackers access internal databases through a website.

-- Due to a high success rate, web exploit toolkits continued to be popular in 2011. These “packaged” attack frameworks are traded or sold online, enabling hackers to access enterprise IT systems and steal sensitive data. For example, the Blackhole Exploit Kit is used by most cybercriminals, and reached an unusually high infection rate of more than 80 percent in late November 2011.

To combat changing , HP offers the HP Security Intelligence and Risk Management (SIRM) platform, an integrated platform of risk-driven security solutions. SIRM delivers visibility across traditional, mobile and cloud environments enabling enterprises to apply adaptive security defenses based on specific organizational risk.

Explore further: How to find a submarine

More information: www.hpenterprisesecurity.com/cybersecurityrisks

add to favorites email to friend print save as pdf

Related Stories

Research on browser weaknesses triggers attacks

Jul 30, 2008

IBM's X-Force says cyber-criminals are using public research on Web browser weaknesses to launch attacks before most users are even aware of their vulnerability. The mid-year report from the security group indicates that ...

Security gurus see even harsher browser attacks for '07

Jan 31, 2007

Another year, another round of sneaky online attacks. IBM security experts anticipate 2007 will see more sophisticated profit-motivated cyber attacks, including more focus on Web browsers as well as advances in image-based ...

Hackers breach US air traffic control computers

May 08, 2009

Hackers broke into US air traffic control computers on several occasions over the past few years and increased reliance on Web applications and commercial software has made networks more vulnerable, according ...

Cracks in computer defenses abound: IBM

Aug 25, 2010

IBM on Wednesday reported that the number of discovered cracks that hackers could exploit in computer software surged in the first half of the year.

Recommended for you

Christian Bale to play Apple's Steve Jobs

17 hours ago

Oscar-winner Christian Bale—best known for his star turn as Batman in the blockbuster "Dark Knight" films—will play Apple co-founder Steve Jobs in an upcoming biopic.

How to find a submarine

21 hours ago

Das Boot, The Hunt for Red October, The Bedford Incident, We Dive At Dawn: films based on submariners' experience reflect the tense and unusual nature of undersea warfare – where it is often not how well ...

Government ups air bag warning to 7.8M vehicles (Update)

Oct 22, 2014

The U.S. government is now urging owners of nearly 8 million cars and trucks to have the air bags repaired because of potential danger to drivers and passengers. But the effort is being complicated by confusing ...

HP supercomputer at NREL garners top honor

Oct 21, 2014

A supercomputer created by Hewlett-Packard (HP) and the Energy Department's National Renewable Energy Laboratory (NREL) that uses warm water to cool its servers, and then re-uses that water to heat its building, has been ...

User comments : 0