The year 2014 was marked by a notable amount of cyber security problems that affected small to large companies and merchants. Hewlett Packard has worked hard to produce and publish the Cyber Risk Report 2015 that will take us through the vulnerabilities and attacks from last year.

HP Zero Day Initiative ZDI

The purpose of the report is to give the reader an understanding of the threat landscape; what went wrong and how problems were fixed; support organisations, helping them to avoid similar issues by showing them how to invest their cybersecurity budgets wisely.

This is an extensive report and includes input and analysis from the HP Security Team, Open Source Intelligence, ReversingLabs and Sonatype. It is also based on the HP ZDI (Zero Day Initiative) and has been contributed to by middleware and IT management software vendors (see below a map of ZDI contributors distribution).

What's the situation with software and secure coding

Software developers and vendors are trying their best to make hackers’ lives more difficult. They are doing this by including security requirements within their development process and applying secure coding practices to increase the sophistication of their security controls. However, these measures still don’t seem to be sufficient and during 2014 a number of high-profile vulnerabilities were discovered, causing organisations to urgently deploy patches across their estate. Just look at the effort organisations had to make to ensure that Heartbleed and P.O.O.D.L.E. were properly mitigated across their estate, which were due to a failure to appropriately validate input that could then be exploited.

Security requirements and controls need to be included during each step of any application development process. A ‘secured’ Software Development Lifecycle is commonly referred to as Secure SDLC (SSDLC) with every step in the process incorporating appropriate security controls.
Problems like the iCloud Leak (aka Fappening) experienced at the end of 2014 could be avoided by simply including appropriate security requirements within the first phase of the SDLC.

HP Cyber Risk Report 2015

Security issues on mobile devices

2014 also showed an increasingly growing threat from malware targeting mobile applications. Attacks against mobile devices are no longer a novelty and it is clear that mobile devices are a major areas of interest for hackers. Surprisingly, using a centralised distribution channel such as the Google Play market, was not the main target; the HP Team found most malware was being distributed through other channels.

Impact on different operating systems

Malware kept on flourishing over 2014. In particular ransomware (restricted access to the infected systems and characterized by the creator of the malware requesting a ransom to remove the restriction) continued to exploit businesses using encryption to prevent access. For instance CryptoLocker is a ransomware that appeared during the last quarter of 2013 which still continues to cause serious damage and disruption to businesses. We also saw custom malware developed to target Point-of-Sale (POS) devices; it’s interesting to notice that the HP report highlights how well the attackers knew the targeted environments.

IoT (Internet of Things)

Whilst we see consumer interest growing in IoT products, they also seem to understand the privacy related issues. Enterprises have to make sure that their networks and systems are monitored in that sense because a television or a thermostat can become a source of risk and security problems.
Security Tests are an important security measure to implement during the development of IoT technology in order to secure the products that will enter the houses of consumers.

Nation-state-sponsored cyber activity and the rise of the hacktivists

We have seen significant growth in the number and sophistication of ‘Hacktivists’ who are politically motivated hackers; Turkish hacktivists are growing year by year in number and experience; Chinese attackers are increasingly targeting the intellectual property of foreign companies; Iranian ones are targeting symbols of the West, such as large corporations and governmental institutes; and finally North Korean hackers are continuing to develop extremely sophisticated cyber warfare capabilities.

Useful takeaways

The report is a fascinating read, which identifies several key themes that deserve attention:

  • The attacks we have seen during 2014 are still too often abusing well known vulnerabilities that are trivial to exploit but also easy to defend against with proper security in place.
  • Server misconfigurations are once again one of the major reasons for successful attacks.
  • The implementation and use of new technologies introduces also new security risks that are appetible to hackers.
  • The combination of old and new vulnerabilities allows attackers to penetrate the traditional levels of protection.
  • Looking at the current legislation in the cybersecurity field, when it comes to sensitive information, the link between security and data privacy is getting stronger.
  • Secure coding practices and SSDLC are topics hotter than ever. Most software vulnerabilities and consequent exploitation are due to defects, bugs, and logic flaws in the code.
  • Antivirus software alone is not considered to be a strong defence. The report shows that only 45% of the cyber attacks were identified by traditional anti-virus software, which means organisations need to invest in additional technologies to approriately protect themselves.

Make sure you monitor your business from threats

Our experts at Advantio are always up to date. The issues described in this report can be approached, minimized or even solved. Do you already know how to improve the security level of your company? Let us know if we can assist you by bringing adequate security to your business.

Igor Mancini

Written by Igor Mancini

Marketing Director at Advantio. The articles published in the Advantio Blog have the goal of supporting our mission: making IT Security simple for everyone.

My intention is to discuss IT Security related topics with the eyes of a non technical person, speaking a simple language and trying to show to the readers the benefit of IT Security best practices.