If a business gets robbed year after year after year because it doesn't change the locks after the keys were stolen, who's to blame? Judging by one recent report, an awful lot of fingers point to IT these days.
Some examples from Hewlett Packard Enterprise's latest Cyber Risk Report: Twenty-nine percent of all successful exploits in 2015 involved a 2010 Stuxnet infection vector that has been patched twice, the study found. The top ten exploits leverage vulnerabilities that are more than a year old, and nearly half of those are at least five years old. These attacks indicate that "patches are not being applied and used as needed," the report says.
Hewlett Packard Enterprise study comes on the heels of an IDG Research Services survey commissioned by
Datalink Corp. (Nasdaq: DTLK) that found IT executives and senior managers now rank data security as their No. 1 IT budget priority. That's one reason to think that future HPE reports will find patches being applied more diligently.
It's also possible patches will become less of an issue because the HPE report cites vendors are moving away entirely from point fixes toward broad-impact solutions.
"While it is laudable that Microsoft and Adobe both released more patches than at any point in their history, it remains unclear if this level of patching is sustainable," the HPE report says. "Defensive measures that prevent classes of attacks may be the solution."
But for every attack vector thwarted, a new one emerges, often simply because technologies come and go. For example, in the 2015 HPE survey, Java exploits ranked second. This year, Android attacks took the Number 2 spot -- and the reason isn't simply because more phones translate to more targets.
"Attackers are shifting toward the mobile application because they're more vulnerable," says Jewel Timpe, senior manager, HPE Security Research Communications, in an interview. "In 2015, 75% of all the mobile apps scanned in our survey had a critical or high-level vulnerability. That makes it a large target area."
By comparison, 35% of non-mobile applications had at least one critical or high-level vulnerability.
"Attackers go after easier targets," Chandra Rangan, vice president of marketing, HPE Security Products, tells The New IP. "Mobile apps typically are designed without the same level of rigor that traditional web or desktop-based [applications] are."
Some mobile attacks re-use techniques or tools -- such as ransomware -- that have been successful with PCs and servers.
"The interesting thing about CryptoLocker is that not only did it secure your phone and encrypt all the data on it; it also encrypted the data on your SD card," Timpe says. "So unless you had an external backup of your phone, you were pretty much stuck."
A backup strategy could be effective on the infrastructure side, too. Yet some organizations seem to find it's more cost effective to pay the ransom than to invest in backup systems and/or additional security. The rise of ransomware is also one reason why the HPE report flagged the monetization of malware as one theme in IT.
Cyber Security Snapshot
[Source: HP Enterprise]
"We see a lot of small businesses tending to pay up," Rangan says.
One recent example is Hollywood Presbyterian Medical Center, which shelled out $17,000 in bitcoins.
"The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key," Allen Stefanek, president, told CNN.
— Tim Kridel, Freelance Contributor. Special to The New IP