HP 2012 Cyber Security Risk Report

We are very pleased to announce the release of the HP 2012 Cyber Security Risk Report. Originally started several years ago by HP DVLabs, it has grown to encompass data, analysis and content from a wide range of HP groups and truly serves as a not only a representation of our unique view into the threat landscape, but also as a testament to the strength of our integrations and outlook.


Highlights from the report include:


Critical vulnerabilities are on the decline, but still pose a significant threat

 

High-severity vulnerabilities (CVSS4 score of 8 to 10) made up 23 percent of the total scored vulnerabilities submitted to the Open Source Vulnerability Database (OSVDB) in 2011 and dropped to 20 percent in 2012. While this reduction is significant, the data shows that nearly one in five vulnerabilities can still allow attackers to gain total control of the target. Long story short, it's getting harder for organizations to find the information they need to secure themselves, not easier, for a myriad of reasons. 
 
Web applications remain a substantial source of vulnerabilities

 

Web applications remain a popular and viable attack vector, due in no small measure to a lack of both organizations and developers alike to correct longstanding vulnerabilities. For instance, cross site scripting remains a pervasive web application security problem even though it's been around almost as long as the web itself. You can find more information about that specific finding  by clicking here.

 

In addition, the first documented cross-frame scripting (XFS) vulnerability, the root cause behind clickjacking attacks, was discovered over 10 years ago. Since then, clickjacking has become a well known vulnerability, yet less than one percent of 100,000 tested URLs  included the best-known mitigation, the X-Frame-Options header.


Vulnerability disclosure numbers are also revealing. Four of the six highest ranked OSVDB categories from 2000-2012 are either exclusively or primarily exploitable via web applications (cross site scripting, SQL injection, cross site request forgery, and remote file includes). Those same four categories comprised 40% of all submitted 2012 vulnerabilities.


Old and new technologies alike introduce new security vulnerabilities

 

As  seen with the recent Department of Homeland Security announcement recommending that the Oracle Java SE platform be universally disabled in Web browsers, seemingly mature technologies still suffer from new exploits. This is disturbingly evident in both the rising number of disclosed SCADA vulnerabilities and in a failure for organizations  to follow best practices when mitigating long standing web application security issues as seen above. 

 

In addition to old technologies, the explosive adoption of mobile devices and the applications that drive them has resulted in
a corresponding boom in mobile vulnerabilities. The last five years have seen a 787 percent increase in mobile application vulnerability disclosures. Multiple data sets also point to the fact that when coding mobile applications, developers are simply not considering the security implications of how they store, transmit and access data.

 

 

The report goes into much greater detail about these specific topics, and many more, to boot. To access the full report, click  HP 2012 Cyber Security Risk Report.

Comments
Damion Carmickle(anon) | ‎08-19-2013 09:39 AM
thank you for all your efforts that you have put in this. Very interesting info.
Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.