Philospher Geroge Santaya once said those who cannot remember the past are condemned to repeat it.
IT security researchers say the same thing: Enterprises keep making the same mistakes that allow attackers to successfully invade.
That’s one of the conclusions from Hewlett-Packard’s latest Cyber Risk Report, released this morning, which looks back at what happened in 2014.
“Attackers continue to leverage well-known techniques to successfully compromise systems and networks,” the report says. “Many client and server app vulnerabilities exploited in 2014 took advantage of codes written many years back—some are even decades old.
The biggest of these (33 per cent of compromises) was a 2010 Microsoft Windows exploit discovered in 2010 for XP, Vista and Win7 allowing attackers to execute arbitrary code by a crafted .LNK or PIF shortcut file. Two Oracle Java exploits (combined 19 per cent) and an Adobe Acrobat Reader bug were the next biggest.
Not only that, server misconfiguration was the number-one issue across all analyzed applications. Access to unnecessary files and directories dominates the list of misconfiguration-related issues, the report says.
These are known problems that just need better management, Jewel Timpe, senior threat research manager for HP Security Research said in an interview this morning. “We’re doomed to repeat our history if we don’t learn from it.”
“One of the biggest issues, obviously, is patch management. The best patches in the world cannot repair software if it’s not applied.”
The report also suggests enterprises just aren’t up to fighting maleware. “Watching the industry respond to the Heartbleed vulnerability highlighted how unprepared we were for this type of event,” it said. “Due to the severity and active exploitation of the vulnerability, corporations were forced to respond quickly, and to patch servers that were not routinely patched. The issue existed in an application library that did not have a clear update path, further complicating efforts; enterprises did not have a solid understanding of which applications were using this library and where it was located inside their networks.”
As for the POS attacks on retailers like Target and Home Depot, HP says they show cunning attackers are stalking their victims. “Enterprises must be able to monitor their networks and systems in a manner that allows them to discover malicious intelligence gathering and reconnaissance activities that may herald an approaching attack,” says the report.
Still, Timpe dismissed a suggestion that the report shows the efforts of CSOs so far are futile. “What the problem is is closing those gaps and doing what needs to be done. And it’s hard — especially in the enterprise. It’s a huge undertaking to patch all systems and then make sure they stay patched.
“I don’t think it’s futile, but we need to be more diligent.”
The HP [NYSE: HPC] report also found that secure coding continues to pose challenges. The primary causes of commonly exploited software vulnerabilities are consistent defects, bugs, and logic flaws from a relatively small number of common software programming errors.
“It may be challenging, but it is long past the time that software development be synonymous with secure software development,” says the report.