It’s hell out there – there being the world outside your firewall that’s trying to rip it down.
You can tell by news reports of intrusions, you can tell by the amber and red lights flashing on dashboards in the NOC and you can tell by – another – annual security report from a vendor.
The latest is the Hewlett-Packard 2012 Cyber Risk Report, which has one piece of good news: The number of critical vulnerabilities in the wild seem to be on the decline.
The rest is bad news: Mature technologies such as Java and SCADA systems (which control factories and utilities) continue to be exploited, mobile platforms are a major growth area for vulnerabilities, and Web applications remain a substantial source of vulnerabilities.
On this last, HP says cross-site scripting (also called XSS) remains a major threat to organizations and users. And an effective defence against cross-frame scripting “remains noticeably absent.”
The report draws from exploit data collected by HP security product labs as well as from the Open Source Vulnerability Database (OSVDB).
But security problems organizations face are sometimes the fault of software developers or Web developers and not just crafty attackers, according to Mark Painter
, an HP security product marketing manager.
“We tested over 100,000 URLs for the standard mitigation technique for cross-frame scripting,” he said in an interview, where clicking on a link takes a person not to where they want to go but to a frame on a malicious page.
“Less than one per cent of those URLs used the x-frame header correctly.”
Those URLs tested weren’t all simple Web pages. Twenty per cent had a password form, Painter said, so had they been spoofed could have lead to the loss of personal information.
Organizations and developers are “just slow to respond to these long-time vulnerabilities,” he complained.
Known SCADA (supervisory control and data acquisition) system vulnerabilities now total 191 from 22 in 2008, Painter said. He blamed the Stuxnet worm (allegedly attributed to U.S. and Israeli government developers who found a way to attack Iranian uranium enrichment facilities using Siemens controllers), for encouraging hackers to probe SCADA systems.
“When you put a Web front-end on something that was never-designed to be Web-accessible you introduce all kinds of vulnerabilities.”
With the increasing attention in cyber-warfare – recently highlighted by the U.S. government -- those numbers will continue to rise, Painter predicted.