In its HPE Cyber Risk Report 2016, Hewlett Packard Enterprise (HPE) has identified the top three enterprise security threats over the past year as application vulnerabilities, security patching and the monetisation of malware.
This year’s report also highlights important industry issues such as new security research regulations, the “collateral damage” from high-profile data breaches, shifting political agendas and the ongoing debate over privacy and security.
Facing an increasing level of attack sophistication, organisations can use the report to find actionable intelligence and recommendations as they aim to keep pace with the loss of the traditional network perimeter.
“In 2015, we saw attackers infiltrate networks at an alarming rate, leading to some of the largest data breaches to date, but now is not the time to take the foot off the gas and put the enterprise on lockdown,” said Shane Bellos, general manager, enterprise security products, HPE.
“We must learn from these incidents, understand and monitor the risk environment, and build security into the fabric of the organisation to better mitigate known and unknown threats, which will enable companies to fearlessly innovate and accelerate business growth.”
1. Applications are the new battlefield
Web applications continue to pose a significant risk to enterprises, but mobile applications are a fast-growing new risk. Mobile storage and transmission are vulnerable based on their high use of personally identifiable information. Mobile applications are also vulnerable to API abuse.
Recommended action: Adjust security approaches, defending not just the perimeter but also the interactions between users, application and data, regardless of location or device.
2. Patch or perish
The exploitation of software vulnerabilities continues to be a major issue, with an increasing focus on mobile targets. The top 10 vulnerabilities in 2015 were more than one year old, while 68 per cent were three or more years old. In 2015, 29 per cent of all successful exploits used the twice-patched 2010 Stuxnet infection vector. Microsoft Windows was the most targeted software platform in 2015, with 42 per cent of the top 20 exploits directed at Microsoft platforms and applications.
Action: Increase vigilance for applying patches at the enterprise and user level, increase enterprise confidence in deploying patches.
3. Monetisation of malware
Increasingly, attackers are using malware for revenue generation rather than mere disruption. Although the overall number of new malware attacks declined by 3.6 per cent from 2014, attack targets are shifting to match technology trends.
For example, malware targets the most popular mobile platforms, with Apple iOS malware attacks up more than 230 per cent and Android threats, malware, and potentially unwanted applications up 153 per cent year-over-year. Malware attacks on ATMs, banking trojans and ransomware are all on the rise.
Action: Increase both awareness and preparation, with a sound backup policy for all important files still the best protection against ransomware.