For the past few years Hewlett-Packard has issued an annual Cyber Risk report to provide security information to organizations to understand the vulnerability landscape and how best deploy resources to minimize security risk. Here are some top takeaways from its latest findings. All images from Shutterstock.com.
It’s partly your fault
80 per cent of applications contain vulnerabilities exposed by incorrect configuration
While we often hear about vulnerabilities that arise due to bugs in an application’s code, an analysis of 2,200 applications found many were related to server misconfiguration, improper file settings, sample content, outdated software versions, and other items related to insecure deployment. Don’t overlook this security gap. Dedicate resources to auditing software for misconfiguration as well as for more expected forms of vulnerability.
Say no to Java
In the past year Java’s security has been questioned. HP found that sandbox bypass vulnerabilities caused by unsafe reflection are the most prolific issue, and sandbox bypass due to type confusion is the most exploited. Attackers are significantly escalating their exploitation of Java by simultaneously targeting multiple CVEs and using Java more often to successfully compromise victims’ computers. Organizations should seriously consider reducing their attack surface by eliminating Java from environments where it is not required.
Mind your cookies
Of the top half of all software problems looked at 52 per cent were from insecure cookies, including not setting the HTTPOnly attribute; 51 per cent leaked system information; 49 per cent had access control vulnerabilities to files and directories; and 40 per cent had cross site scripting problems.
Less is better
An examination of over 500,000 Android apps showed turned up major discrepancies between how Google and different antivirus companies judge the behavior and intent of mobile apps. Limiting the number of apps available within an organization, monitoring approved apps, and thoroughly vetting EULAs are the absolute baseline for responsible defense.
Mobile developers fail #1:
46 per cent of mobile 180 iOS and Android applications tested use encryption improperly. Missing or misused cryptographic APIs made for a common occurrence in our analysis of encryption-related vulnerabilities. The statistics indicate that the developers either completely miss encryption before storing sensitive information on device or often rely on weak algorithms. Also 41 per cent of the encryption-related issues resulted from unencrypted transfer of sensitive information.
Mobile developers fail #2
An analysis of native vulnerabilities found that the insecure use of storage APIs is a prominent root cause of security issues. Unsafe storage of information on publicly accessible external SD cards is a common practice among mobile app developers, and was found to be responsible for nearly 42% of all storage-related issues. SQL injection vulnerabilities, which could similarly expose contents of the device database, constituted approximately 21% of the issues. Almost 38% of the issues were related to insecure logging practices as well as hardcoding of sensitive information, which runs counter to age-old security best practices
Mobile developers fail #3
Modern mobile phones allow apps to expose custom features for reusability, but giving permission is essential for preventing the misuse of these features, examples of which include permission to use the camera, external storage, Internet, and others as well as permissions to share the custom components between apps. Unfortunately, 74% of the issues were caused by Android applications requesting more permissions than were necessary for their operation thus putting the user’s data at risk in case of a compromise.
Don’t be complacent
Security isn’t a box that can be checked—it’s an ongoing process of gathering and sharing intelligence, responding to changing technology and conditions in the wild, and balancing security measures against functionality. It is also simply not possible to reduce the attack surface to zero without sacrificing functionality necessary to operate the organization. However, with the right information and advice, organizations can respond appropriately, mitigate risks, and reduce their attack surface significantly.