It’s hell out there – there being the world outside your firewall that’s trying to rip it down.
You can tell by news reports of intrusions, you can tell by the amber and red lights flashing on dashboards in the NOC and you can tell by – another – annual security report from a vendor.
The latest is the Hewlett-Packard 2012 Cyber Risk Report, which has one piece of good news: The number of critical vulnerabilities in the wild seem to be on the decline.
The rest is bad news: Mature technologies such as Java and SCADA systems (which control factories and utilities) continue to be exploited, mobile platforms are a major growth area for vulnerabilities, and Web applications remain a substantial source of vulnerabilities.
On this last, HP says cross-site scripting (also called XSS) remains a major threat to organizations and users. And an effective defence against cross-frame scripting “remains noticeably absent.”
The report draws from exploit data collected by HP security product labs as well as from the Open Source Vulnerability Database (OSVDB).
But security problems organizations face are sometimes the fault of software developers or Web developers and not just crafty attackers, according to Mark Painter, an HP security product marketing manager.
“We tested over 100,000 URLs for the standard mitigation technique for cross-frame scripting,” he said in an interview, where clicking on a link takes a person not to where they want to go but to a frame on a malicious page.
“Less than one per cent of those URLs used the x-frame header correctly.”
Those URLs tested weren’t all simple Web pages. Twenty per cent had a password form, Painter said, so had they been spoofed could have lead to the loss of personal information.
Organizations and developers are “just slow to respond to these long-time vulnerabilities,” he complained.
Known SCADA (supervisory control and data acquisition) system vulnerabilities now total 191 from 22 in 2008, Painter said. He blamed the Stuxnet worm (allegedly attributed to U.S. and Israeli government developers who found a way to attack Iranian uranium enrichment facilities using Siemens controllers), for encouraging hackers to probe SCADA systems.
“When you put a Web front-end on something that was never-designed to be Web-accessible you introduce all kinds of vulnerabilities.”
With the increasing attention in cyber-warfare – recently highlighted by the U.S. government — those numbers will continue to rise, Painter predicted.
As for mobile app vulnerabilities, 266 were found last year, compared to 159 in 2011.
Seventy-seven per cent of mobile apps were vulnerable some form of information, HP [NYSE: HPQ] found. Forty-eight per cent could allow an attacker to gain access to some part of the app that wasn’t supposed to be open.
“Over the course of our testing it’s very apparent that when coding mobile applications developers are just not considering the security implications of how they store, transmit or access their data.”
“In a lot of ways its like mobile developers are making the same mistakes they made 10 years ago with Web applications.”
Not only that, IT departments make fundamental mistakes, the report suggests, like someone at a firm that created the following directory: https://www.example.com/passwords.
No authentication was needed to get into the folder, which, obviously, listed passwords.
Other examples of corporate vulnerabilities
Which begs the question – and it has been asked before – has the cyber security war been lost?
“I wouldn’t say the war is lost, but we definitely need to mobilize some troops. It’s just the pace of the world – everybody’s pressured to put applications out there. And you know the old saying: Security is not something you can brush on at the end: You’ve got take it in. It’s still being bolted on at the end way too much.”
The bot threat
Some of the most serious threats networks face today are "bots," remotely controlled robotic programs that strike in many different ways and deliver destructive payloads, self propagating to infect more and more systems and eventually forming a "botnet."