Attackers Favor Old Exploits, Mobile Apps
HPE's latest Cyber Risk Report finds a shift toward attackers targeting applications, especially mobile ones.
While few doubt the cleverness of hackers, the disheartening truth is they don't need to be all that clever to gain access to sensitive data.
"It's a bit depressing," said Chandra Rangan, vice president marketing, HPE Security Products at Hewlett Packard Enterprise, discussing some of the findings published in HPE's Cyber Risk Report 2016.
"Attackers are lazy. They want maximum bang for the buck, so they will go for low-hanging fruit," Rangan said, noting that the most exploited bug in 2015 was over five years old. It was also the top bug in 2014.
Similarly, the top 10 vulnerabilities (called CVEs or common vulnerabilities and exposures by security researchers) leveraged by attackers in 2015 are more than a year old and nearly half of them are at least five years old.
What is new, Rangan said, is a shift in which applications, rather than servers or operating systems, are used as a primary attack vector.
The research also reveals an increase in attacks on mobile platforms. While Microsoft Windows remains the top vector for attackers by far, with 95 percent of newly discovered malware samples and 42 percent of exploits targeting it, Android moved into second place in 2015 with 18 percent of the total exploits. That marks a change from 2014, when Oracle's Java took the number two spot.
Java dropped into third place with 12 percent of all discovered exploits in 2015 – a decline from 21 percent in 2014 - followed by Microsoft Office (11 percent) and Adobe (14 percent, evenly divided between Flash and Reader exploits).
Seventy-five percent of the mobile apps scanned by HPE had at least one vulnerability that HPE considered severe, compared to 35 percent of non-mobile applications.
Some software developers "seem to be making a tradeoff between speed and security," Rangan said. "There is a whole new crop of app developers, and they are saying 'how quickly can I get this app to market and how quickly can I monetize it?' When you are in that mode, you are less likely to use the development processes and methodologies that include multiple security checks."
It is getting easier to secure mobile applications, he said, with automated methods of checking for insecure code. "You do not need to make a tradeoff, and you do not need to use the old-school waterfall development model. There are plenty of technologies out there where you can build security into the very fabric of your apps."
Developers, end users and others must become more involved in security, he said. "Security is not a single IT function. If you see it that way, it causes people to think of it as an afterthought or as someone else's job."
Ann All is the editor of Enterprise Apps Today and eSecurity Planet. She has covered business and technology for more than a decade, writing about everything from business intelligence to virtualization.