Despite cyber attackers developing new technologies, most businesses that experienced a cyber security incident in 2014 were hit with well-known security threats and system configuration faults, according to the latest Cyber Risk Report from HP.
The report, from HP Security Research, said the top ten vulnerabilities exploited in 2014 were known weaknesses in systems implemented years ago – or even decades.
As much as 44% of known breaches in 2014 came from vulnerabilities that are between two and four years old, showing that attackers continue to use well-known techniques to compromise systems and networks.
The report identified misconfigurations of servers as the top vulnerability in 2014, providing attackers with unnecessary access to files that leave organisations vulnerable to attack.
“Many of the biggest security risks are issues we’ve known about for decades, leaving organisations unnecessarily exposed,” said Art Gilliland, senior vice-president and general manager, enterprise security product at HP.
“We can’t lose sight of defending against these known vulnerabilities by entrusting security to the next silver bullet technology; rather, organisations must employ fundamental security tactics to address known vulnerabilities and in turn, eliminate significant amounts of risk.”
Read more about information security strategy
- Many organisations are still uncertain how to implement risk-based security.
- Designing end-to-end security for cloud implementations begins with developing a strategic security program.
- Cyber attacks constitute a group-level risk that is managed as part of BP’s standard set of risk management processes.
- Vehicle manufacturer Daimler has a team of hackers to continually test the effectiveness of its cyber defences.
Closing hackers' opportunities
The report said new avenues of attack were introduced through connected devices. In addition to security issues presented through devices making up the internet of things (IoT), 2014 saw an increase in the level of mobile malware detected.
As the computing ecosystem continues to expand, unless enterprises take security into consideration, attackers will continue to find more points of entry, the report said.
The report notes that while most vulnerabilities stem from a relatively small number of common software programming errors, old and new vulnerabilities in software are swiftly exploited by attackers.
The report recommends a comprehensive and timely patching strategy should be employed by network defenders to ensure systems are up-to-date with the latest security protections to reduce the likelihood of these attacks succeeding.
The report also recommends regular penetration testing and verification of configurations by internal and external teams to identify configuration errors before attackers exploit them, and mitigating risk to networks prior to the adoption of new technologies.
Collaboration key to security
With emerging technologies such as IoT, it is imperative for organisations to protect against security vulnerabilities by understanding new avenues of attack before they are exploited, the report said.
According to the report, collaboration and threat intelligence sharing is key to co-operatively addressing threats across the security industry.
This enables organisations to gain insight into adversarial tactics, allowing for more proactive defence, strengthened protections in security systems, and an overall safer environment, the report said.
Finally, the report recommends a complementary protection strategy should be adopted with a continuous “assume-breach” mentality. There is no silver bullet, and defenders should implement a complementary, layered set of security tactics to ensure the best defence, the report said.