Protect Your Assets
Showing results for 
Search instead for 
Do you mean 

HP 2012 Cyber Security Risk Report

markpainter ‎02-27-2013 10:06 AM - edited ‎09-09-2015 11:46 AM

We are very pleased to announce the release of the HP 2012 Cyber Security Risk Report. Originally started several years ago by HP DVLabs, it has grown to encompass data, analysis and content from a wide range of HP groups and truly serves as a not only a representation of our unique view into the threat landscape, but also as a testament to the strength of our integrations and outlook.


Highlights from the report include:


Critical vulnerabilities are on the decline, but still pose a significant threat

 

High-severity vulnerabilities (CVSS4 score of 8 to 10) made up 23 percent of the total scored vulnerabilities submitted to the Open Source Vulnerability Database (OSVDB) in 2011 and dropped to 20 percent in 2012. While this reduction is significant, the data shows that nearly one in five vulnerabilities can still allow attackers to gain total control of the target. Long story short, it's getting harder for organizations to find the information they need to secure themselves, not easier, for a myriad of reasons. 
 
Web applications remain a substantial source of vulnerabilities

 

Web applications remain a popular and viable attack vector, due in no small measure to a lack of both organizations and developers alike to correct longstanding vulnerabilities. For instance, cross site scripting remains a pervasive web application security problem even though it's been around almost as long as the web itself. You can find more information about that specific finding  by clicking here.

 

In addition, the first documented cross-frame scripting (XFS) vulnerability, the root cause behind clickjacking attacks, was discovered over 10 years ago. Since then, clickjacking has become a well known vulnerability, yet less than one percent of 100,000 tested URLs  included the best-known mitigation, the X-Frame-Options header.


Vulnerability disclosure numbers are also revealing. Four of the six highest ranked OSVDB categories from 2000-2012 are either exclusively or primarily exploitable via web applications (cross site scripting, SQL injection, cross site request forgery, and remote file includes). Those same four categories comprised 40% of all submitted 2012 vulnerabilities.


Old and new technologies alike introduce new security vulnerabilities

 

As  seen with the recent Department of Homeland Security announcement recommending that the Oracle Java SE platform be universally disabled in Web browsers, seemingly mature technologies still suffer from new exploits. This is disturbingly evident in both the rising number of disclosed SCADA vulnerabilities and in a failure for organizations  to follow best practices when mitigating long standing web application security issues as seen above. 

 

In addition to old technologies, the explosive adoption of mobile devices and the applications that drive them has resulted in
a corresponding boom in mobile vulnerabilities. The last five years have seen a 787 percent increase in mobile application vulnerability disclosures. Multiple data sets also point to the fact that when coding mobile applications, developers are simply not considering the security implications of how they store, transmit and access data.

 

 

The report goes into much greater detail about these specific topics, and many more, to boot. To access the full report, click  HP 2012 Cyber Security Risk Report.

0 Kudos
About the Author

markpainter

Comments
Information Security
on ‎03-14-2013 07:08 AM

Intersting article guys, I will read the full report to see if you offer any solutions.

 

Cheers.

Information Security
on ‎03-14-2013 07:11 AM

Your link is not working guys: 

 

http://www.hpenterprisesecurity.com

 

is not resolving.

Damion Carmickle
on ‎08-19-2013 09:39 AM
thank you for all your efforts that you have put in this. Very interesting info.
Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Events
Aug 29 - Sep 1
Boston, MA
HPE Big Data Conference 2016
Attend HPE’s Big Data Conference to learn from peers in every industry and hear from Big Data experts and thought leaders in an exciting, energy fille...
Read more
Sep 13-16
National Harbor, MD
HPE Protect 2016
Protect 2016 is our annual conference and is the place to meet the world’s top information security talent, discuss new products and share information...
Read more
View all
What's New