With only a few days to go until cybersecurity’s minions gather in San Francisco for RSA Conference 2016 (February 29-March 4), Hewlett Packard Enterprise has released a report characterizing 2015 as the Year of Collateral Damage (presumably no connection to Arnold’s 2002 movie). Organizations need to rethink how and where they can be attacked as it is no longer a case of “if” but “when”, cautions HPE in their latest security survey, Cyber Risk Report 2016.
That conclusion is not new, but neither are some of the issues still plaguing organizations, said Chandra Rangan, VP of Marketing, HPE Security Products, Hewlett Packard Enterprise. Just under a third (29%) of all exploit samples discovered in 2015 continued to use a 2010 Stuxnet infection vector that has been patched. Twice. The industry didn’t learn anything about patching in 2015: the number one exploited vulnerability is over five years old, was the most exploited in 2014, and has been patched by the vendor… twice.
The patching problem was the second of three highlights of the study that were not surprising, but interesting, Rangan told IT Trends & Analysis. “First, the shift to attack applications, and specifically Android… [it] has overtaken Java as the second-biggest platform.” Most of the applications HPE scanned (75%) had a vulnerability.
The third finding was monetization. It’s from a smaller base but very rapidly tracking, he said.
“From our perspective, these kinds of findings… we are surprised that the data and the apps that the data sit in our being more and more exposed.” As a result, one of the bigger conversations the company is having with its customers is about hardening apps.
We are getting very mixed signals, when it comes to cybersecurity. At the same time more money, resources and attention are being lavished on security, problems are continuing to escalate.
While spending on cybersecurity is expected to exceed $37 billion in 2016, less than half (45%) of organizations are confident in their security posture. Other indicators that the situation remains bleak include:
-the average annualized cost of cybercrime has soared 82% over the last 6 years, to $15 million per US organization;
-the average time to resolve a cyber attack was 46 days, with an average cost to participating organizations of more than $1.9 million during this 46-day period, up 22% from last year;
-between 2014 and 2015, the number of organizations that said their security infrastructure was up-to-date dropped by 10%;
-92% of Internet devices are running known vulnerabilities;
-31% of all devices analyzed are no longer supported or maintained by the vendor;
-55% of all attacks were carried out by either malicious insiders or inadvertent actors, and over 95% of breaches caused by insiders was caused by human error; and,
-83% of respondents face challenges with privileged account management.
HPE’s results further illustrate the growing challenges confronting organizations:
-35% of scanned applications exhibited at least one critical or high-severity vulnerability;
-over 80% of open source and commercial applications suffer security feature vulnerabilities;
-over 100,000 new threats were discovered daily on the Android platform, a year-over-year increase of 153%; and,
-with 95% of newly discovered malware samples and 42% of exploits targeting Windows, that OS remains the dominant platform for attack.
Jewel Timpe, Senior Manager, HPE Security Research Communications, Hewlett Packard Enterprise, agrees with Rangan and many of his security vendor peers that the outlook is not as bad as it appears. This is an asymmetrical problem. Defenders have to defend everything but attackers only have to exploit one vulnerability. Plus customers have hundreds of security tools, so a more holistic approach is required, she said.
A week ago IBM reported a significant disconnect between security professionals and senior management. A survey of more than 700 C-level executives found many leaders across the C-suite are confused about who the true cybersecurity adversary is and how to effectively combat them. A major finding of the study was that 70% of CxOs think rogue individuals make up the largest threat to their organizations, but he reality is that 80% of cyberattacks are driven by highly organized crime rings in which data, tools and expertise are widely shared.
The bad guys are not the only ones sharing resources. Dell, which is in the process of buying EMC, which owns RSA, released its own cybersecurity report card this week that noted the evolution of exploit kits to stay one step ahead of security systems. Exploit kits evolved with greater speed, heightened stealth and novel shape-shifting abilities, stated Dell, but that ‘each successful attack provides an opportunity for security professionals to learn from others’ oversights, examine their own strategies and shore up the holes in their defense systems.’
HPE’s approach is to build security into all aspects of its offerings. The second consideration is accepting that attacks will happen, so they want to respond quickly.
The company has made a significant investment in security over the last six months, said Rangan. “We think about how we can build in security into every part of the stack, and we’re making very good progress.”
In addition to a stronger focus, improving security will require an industry approach, leveraging partnerships, he added. “To be able to do that, that’s not a single product, single company effort.”