Sapsiwai - Fotolia

Application security a key priority for 2016, says Hewlett Packard Enterprise study

Businesses should focus on application security, changes in threats and regulations, and vulnerabilities in emerging technologies, says Hewlett Packard Enterprise

Businesses should increase their focus on application security – particularly for mobile devices – as one of several key priorities in 2016.

Security professionals should also keep their eye on changes in the threat landscape, changes in the regulatory landscape, and the vulnerabilities of new technologies, according to the Hewlett Packard Enterprise Cyber Risk Report 2016.

The report highlights issues such as changing security research regulations, shifting political agendas and the ongoing debate over privacy and security.

Above all, the report highlights the shift in the cyber security battle to applications, as attackers direct their efforts to attacking applications directly, to access enterprise data.

Security professionals must adjust their approach to defending not just the network perimeter, but also interactions between users, applications and data – regardless of location or device.

While business and web application pose significant risks to enterprises, mobile applications present growing and distinctive risks, the report said.

“The mobile application threat has come of age,” said Andrzej Kawalec, chief technology officer, enterprise security services at Hewlett Packard Enterprise.

“Mobile applications are becoming one of the most distinctive risks that enterprises are facing,” he told Computer Weekly.

Read more about application attacks

Mobile threats easily mitigated

Mobile applications’ frequent use of personally identifiable information presents significant vulnerabilities in the storage and transmission of private and sensitive information, the report said.

About 75% of the mobile applications scanned exhibited at least one critical or high-severity security vulnerability, compared with 35% of non-mobile applications.

“There are some very basic red flags around the type of applications that are being targeted, and the growing, distinctive risks focused around mobile applications,” said Kawalec.

However there are simple, easy-to-use off-the-shelf products that companies can use to analyse the code of applications they are using to identify and mitigate or remediate vulnerabilities, he said.

Vulnerabilities arising from the abuse of application program interfaces (APIs), used by pieces of software to communicate with each other, is more common in mobile applications than web applications. At the same time, mobile applications tend to have less functionality to anticipate, detect and resolve errors.   

Software vulnerability exploitation remains a primary vector for attack, with mobile exploits gaining traction, the report said.

Little change in threat profiles

In line with 2014 findings, the top ten vulnerabilities exploited in 2015 were more than one year old, with 68% three years old or more.

In 2015, Microsoft Windows represented the most targeted software platform, with 42% of the top 20 discovered exploits directed at Microsoft platforms and applications.

The report said that, like 2014, the top infection method representing 29% of all successful exploits in 2015 continued to use a 2010 Stuxnet infection vector – that Microsoft has patched twice.

2015 was a record year for the number of security vulnerabilities reported and patches issued – but patching does little good if users do not install them for fear of unintended consequences, the report said.

Security teams must be more vigilant about applying patches at both enterprise and user level – and software suppliers must be more transparent about the implications of their patches, the report said, so that users are afraid to deploy them.

“Enterprise ability and efficiency in patching or applying the latest software updates continues to be very poor,” said Kawalec.

“Attackers continue to be successful using vulnerabilities that have identified and are fairly well understood because enterprises patching regimes are still failing to address them year after year.” 

Steps to successful patching

However, Kawalec agreed that patching is a challenge and is becoming more difficult as the volume of patches continues to increase, particularly for smaller and poorly resourced organisations that have neither a good overview of their IT landscape, nor a single mechanism for rolling out patches. 

First, he said organisations need to recognise that patching is an essential part any cyber security defence strategy – but that vulnerabilities can often be remediated on the network, or at the device through user authentication, instead of having to roll out hundreds of patches every week.

But, he said, this typically requires in-depth knowledge of an enterprise and its IT estate that is usually associated with organisations that have fairly mature security strategies.

Second, he said organisations should consider handing over all patching activities to a managed security services providers (MSSPs), especially in the light of the fact that not all organisations have the maturity, time or skills required.

“MSSPs can take the patching burden away, and because they managing patching for hundreds of organisations, they have a better sense of the priorities in various parts of the world, they are able to devote more resources to it, and they are able to automate patch deployment,” said Kawalec.

Security by design in fast development

The bigger issue, he said, is that software suppliers and enterprises need to get better at producing code that is secure by design and thorough security tested before being implemented.

“If you take a standard, longer-lifecyle, core enterprise application, there is naturally time to put the right security standards in place, as well as evolve and test your security assumptions,” he said.

According to Kawalec, a lot of organisations are getting caught out by the focus on an accelerated development lifecycle for feature-rich applications, especially on the mobile platform.

“Compressing development lifecycles from months to weeks and sometimes days typically means that security checks and balances are not done, which means the majority of mobile applications have serious security flaws in them,” he said. 

Hackers focus on profits

Commenting on the threat landscape, the report said malware had evolved from being simply disruptive to a revenue-generating activity for attackers.

Attack targets have also shifted in line with evolving enterprise trends and focused heavily on making money.

As the number of connected mobile devices expands, malware is diversifying to target the most popular mobile operating platforms.

“As a result, we have seen an explosion in threats against Android platforms and malware focusing on Apple devices and other lucrative areas, even though some are fairly obscure such as malware targeting automatic teller machines (ATMs) and new variants of banking Trojans,” said Kawalec.

The number of Android threats, malware, and unwanted applications have grown to more than 10,000 new threats discovered daily, reaching a total year-over-year increase of 153%, while Apple iOS represented the greatest growth rate, with a malware sample increase of more than 230%.

Banking trojans and ransomware

Banking Trojans, such as variants of the Zbot Trojan, continue to be problematic despite protection efforts, the report said, with more than 100,000 of these detected in 2015, the report said.

Malware attacks on ATMs use hardware, software loaded onto the ATM, or a combination of both to steal credit card information. In some cases, attacks at the software level, bypass card authentication to directly dispense cash, the report said.

Ransomware, such as Cryptolocker, Cryptowall, CoinVault, BitCryptor, TorrentLocker and TeslaCrypt, is an increasingly successful attack model, the report said, with several ransomware families wreaking havoc in 2015 by encrypting files of consumer and corporate users alike.

Increased ransomware attacks require both increased awareness and preparation on the part of security professionals to avoid the loss of sensitive data, the report said, adding that the best protection against ransomware is a sound backup policy for all important files on the system.

Enterprises struggle with compliance

Changing legislation and resulting discrepancies between data protection and privacy regulations in the US, EU and Asia-Pacific, pose challenges for enterprises struggling to keep their systems secure and in compliance, the report said.

“A lot of enterprises are struggling to understand quite how they should adopt and interpret the various rules and regulations that are being introduced,” said Kawalec.

“It is challenging to keep abreast of what data can be shared, what privacy means and how to develop services that take all of those things into account without adding backdoors or weakening encryption,” he said.

Organisations must follow the changing legislative activity closely as it moves at different speeds around the world, and maintain a flexible security approach, the report recommends.

“Another area related to legislation that is felt keenly by the security research community is that a lot of new and proposed rules affecting cyber security research are hampering their ability to share insights and information across international boundaries,” said Kawalec.

This includes things like the criminalisation of research into the security of connected cars, as proposed in the US, and changes to the Wassenaar Arrangement, he said, that could have the effect of forcing cyber security research underground.

“Security researchers are finding it more difficult and time-consuming to share information and develop new research areas to stay up to date with the attackers,” said Kawalec.

Hackers are collaborating –
and so must defenders

According to the report, the complexities of legislation and international events will have a greater impact in the realms of security and privacy.

As a result, the report said network defenders need to understand the complexities of privacy issues as thoroughly as they understand the impact of security vulnerabilities.

The report warns that instead of symmetric responses to threats, tomorrow’s network defender must understand how to respond asymmetrically to threats through automated analysis, wide-reaching fixes, and a community-based defense.

“If you assume that adversaries are able to collaborate and share information to allow them to operate and create efficient and effective attacks, defenders need to benefit from the same sharing and collaboration using secure threat and intelligence sharing platforms,” said Kawalec.

“These enable communities such as industry groups and security researchers to share intelligence and work together to respond to cyber threats in a more effective way, which is likely to involve putting together platforms of security technology rather than point solutions, and being able to detect and respond to attacks in a much more automated and co-ordinated fashion.” 

The report concludes that, while the threat of cyber attack is unlikely to go away, thoughtful planning can continue to increase both the physical and intellectual price an attacker must pay to successfully exploit an enterprise.

Read more on Hackers and cybercrime prevention