IT security weak because enterprises aren’t learning: HP

Philospher Geroge Santaya once said those who cannot remember the past are condemned to repeat it.

IT security researchers say the same thing: Enterprises keep making the same mistakes that allow attackers to successfully invade.

That’s one of the conclusions from Hewlett-Packard’s latest Cyber Risk Report, released this morning, which looks back at what happened in 2014.

“Attackers continue to leverage well-known techniques to successfully compromise systems and networks,” the report says. “Many client and server app vulnerabilities exploited in 2014 took advantage of codes written many years back—some are even decades old.

The biggest of these (33 per cent of compromises) was a 2010 Microsoft Windows exploit discovered in 2010 for XP, Vista and Win7 allowing attackers to execute arbitrary code by a crafted .LNK or PIF shortcut file. Two Oracle Java exploits (combined 19 per cent) and an Adobe Acrobat Reader bug were the next biggest.

Not only that, server misconfiguration was the number-one issue across all analyzed applications. Access to unnecessary files and directories dominates the list of misconfiguration-related issues, the report says.

These are known problems that just need better management, Jewel Timpe, senior threat research manager for HP Security Research said in an interview this morning. “We’re doomed to repeat our history if we don’t learn from it.”

“One of the biggest issues, obviously, is patch management. The best patches in the world cannot repair software if it’s not applied.”

The report also suggests enterprises just aren’t up to fighting maleware. “Watching the industry respond to the Heartbleed vulnerability highlighted how unprepared we were for this type of event,” it said. “Due to the severity and active exploitation of the vulnerability, corporations were forced to respond quickly, and to patch servers that were not routinely patched. The issue existed in an application library that did not have a clear update path, further complicating efforts; enterprises did not have a solid understanding of which applications were using this library and where it was located inside their networks.”

As for the POS attacks on retailers like Target and Home Depot, HP says they show cunning attackers are stalking their victims. “Enterprises must be able to monitor their networks and systems in a manner that allows them to discover malicious intelligence gathering and reconnaissance activities that may herald an approaching attack,” says the report.

Still, Timpe dismissed a suggestion that the report shows the efforts of CSOs so far are futile. “What the problem is is closing those gaps and doing what needs to be done. And it’s hard — especially in the enterprise. It’s a huge undertaking to patch all systems and then make sure they stay patched.

“I don’t think it’s futile, but we need to be more diligent.”

The HP [NYSE: HPC] report also found that secure coding continues to pose challenges. The primary causes of commonly exploited software vulnerabilities are consistent defects, bugs, and logic flaws from a relatively small number of common software programming errors.

“It may be challenging, but it is long past the time that software development be synonymous with secure software development,” says the report.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now