HP Report Elaborates on Contradictions in Security Risks

Kachina Shaw
Slide Show

Top Five Industries Impacted by Data Encryption Challenges in 2014

In publishing its “Security Research Cyber Risk Report 2013,” an annual update, HP has delved into a number of the most vexing contradictions in security and risk management. The report’s goal, states HP, is “to provide security information that can be used to understand the vulnerability landscape and best deploy resources to minimize security risk.”

Key findings included these:

“Research gains attention, but vulnerability disclosures stabilize and decrease in severity.” The number of publicly disclosed vulnerabilities remained stable in 2013, as the number of high-severity vulnerabilities dropped for the fourth year in a row. Asks HP, “Is this a good indication of the improving awareness of security in software development or does this indicate a more nefarious trend – the increased price of vulnerabilities on the black market for APTs resulting in less public disclosures?”


“80 percent of applications contain vulnerabilities exposed by incorrect configuration.” Misconfiguration makes even perfectly coded software vulnerable: HP’s examination of 2200 applications found vulnerabilities arose out of server misconfiguration, improper file settings, sample content, outdated versions and other issues. All the bug audits in the world won’t address this significant set of vulnerabilities.

“Differing definitions of ‘malware’ make measuring mobile malware risk extremely difficult.” This one is very interesting: The attention that is focused on what we generally refer to as mobile malware continues to increase. However, HP points out that the ways that Google, Apple and antivirus companies judge and classify the behaviors and features of mobile applications and software is nowhere near standardized, and is skewing the numbers. That may be, in turn, causing some firms to place their efforts and budgets in the wrong areas. The classification of apps containing adware as containing malware seems to be creating the largest portion of this contradiction. Though some adware libraries reportedly contain backdoor functionalities and are classified as malware by more than one antivirus company, HP found that “there is massive variability between the determinations made by different AV companies. It seems one person’s adware might be another’s benign app.”

“46 percent of mobile iOS and Android applications use encryption improperly.” While encryption is often named as the most underused data protection strategy, especially in mobile device and data management, HP finds that its improper use is widespread. Among other specific problems HP detected, “the statistics indicate that the developers either completely miss encryption before storing sensitive information on device or often rely on weak algorithms.”

To see more findings, including a detailed analysis of targeted attacks in South Korea that demonstrated how vulnerable organizations are to multiple-vector threats, you can download the report free with registration here: HP Security Research Cyber Risk Report 2013.



Add Comment      Leave a comment on this blog post

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


 
Resource centers

Business Intelligence

Business performance information for strategic and operational decision-making

SOA

SOA uses interoperable services grouped around business processes to ease data integration

Data Warehousing

Data warehousing helps companies make sense of their operational data


Thanks for your registration, follow us on our social networks to keep up-to-date