An ever-widening attack surface means IT security professionals need to approach their jobs in a new way, according to a new report from Hewlett-Packard Co.
The report from HP Security Research seeks to identify the top enterprise security vulnerabilities and provide analysis of the expanding threat landscape. It identifies our increased reliance on mobile devices, the proliferation of insecure software and the wide use of Java as contributing to a growing attack surface in 2013.
“Adversaries today are more adept than ever and are collaborating more effectively to take advantage of vulnerabilities across an ever-expanding attack surface,” said Jacob West, chief technology officer for enterprise security products at HP, in a statement. “The industry must band together to proactively share security intelligence and tactics in order to disrupt malicious activities driven by the growing underground marketplace.”
Diving into the findings, while a six per cent decline in the number of publicly disclosed vulnerabilities and a nine per cent dip in the number of high-severity vulnerabilities could be viewed as a positive, HP cautioned this may be an indicator of a surge in vulnerabilities that aren’t being disclosed, and instead are being delivered to the security black market for exploitation.
A lack of consistency across security platforms was identified as a concern, particularly when it comes to defining malware. When examining more than 500,000 mobile applications for Android, HP said it found major discrepancies between how antivirus engines and mobile platform vendors defined and classified malware.
Just 46 per cent of mobile applications that were examined used encryption properly, and sandbox bypass vulnerabilities were the most prevalent and damaging for Java users.
To reduce enterprise risk in this changing threat landscape, HP said both organizations and developers should stay aware of security pitfalls in frameworks and other third-party code, particularly when it comes to hybrid mobile development platforms. A combination of people, process and technology can minimize the attack surface, and more collaboration and threat intelligence sharing within the security industry is needed for a stronger and more effective defence.