HP has released findings from its annual Cyber Risk Report this week, which takes a close look at the security landscape we’re up as we head deeper into 2014.  The stage is one where mobile and web applications have greatly expanded the attack surface.  Hackers have more open doors to attack nowadays.  This report pinpoints the specific vulnerabilities and trends that have contributed the rise in attacks. The research explores pervasive problems such as improper encryption and sandbox bypass vulnerabilities in detail. Furthermore, it highlights critical issues that organizations, the mobile application development industry and end-users alike need to be aware of to successfully respond to changing technology and reduce security threats.

The report has run every year since 2009 and is developed by the HP Security Research (HPSR), this year’s report includes a number of key findings and highlights include:

• The total number of publicly disclosed vulnerabilities continued to oscillate slightly year-over-year, decreasing by only 6 percent. The lack of a substantial decrease demonstrates the continued struggle to secure the ecosystem.

• The number of publicly disclosed high-severity vulnerabilities is on a downward trend for the fourth consecutive year, decreasing by nine percent. This is at odds with the increased focus on vulnerability research over the past year and highlights the impact of the black market on disclosures.

• Internet Explorer was the software most targeted by HP Zero Day Initiative (ZDI) vulnerability researchers in 2013 and accounted for 51 percent of vulnerabilities acquired by the program. This attention results from market forces focusing researchers on Microsoft vulnerabilities and does not reflect on the overall security of Internet Explorer.

• Sandbox bypass vulnerabilities were the most prevalent and damaging for Oracle Java users. Adversaries significantly escalated their exploitation of Java by simultaneously targeting multiple known (and zero day) vulnerabilities in combined attacks to compromise specific targets of interest.

• 46 percent of mobile applications studied use encryption improperly. HP research shows that mobile developers often fail to use encryption when storing sensitive data on mobile devices, rely on weak algorithms to do so, or misuse stronger encryption capabilities rendering them ineffective.

• Nearly 80 percent of applications reviewed contain vulnerabilities rooted outside their source code. Even expertly coded software can be dangerously vulnerable if misconfigured.

• Inconsistent and varying definitions of ‘malware’ complicate risk analysis. In an examination of more than 500 mobile applications for Android, HP found major discrepancies between how anti-virus engines and mobile platform vendors classify malware.

Risks and Recommendations

One big trend that has emerged from the report is the increased reliance on mobile devices.  There is also a growing use of Java and a growing proliferation of insecure software.  HP has outlined various recommendations for organizations to minimize security risk and the overall impact of attacks.

Key recommendations include:

• In today’s world of rising cyber attacks and growing demands for secure software, it is imperative to eliminate opportunities for unintentionally revealing information that may be beneficial to attackers.

• Organizations and developers alike must stay cognizant of security pitfalls in frameworks and other third-party code, particularly for hybrid mobile development platforms. Robust security guidelines must be enacted to protect the integrity of applications and the privacy of users.

• While it is impossible to eliminate the attack surface without sacrificing functionality, a combination of the right people, processes, and technology does allow organizations to effectively minimize it and dramatically reduce overall risk.

HP will be at this year’s RSA Conference February 2014, and will kick the event off with a keynote by senior vice president and general manager Art Gilliland called “Stop Looking for the Silver Bullet: Start Thinking Like a Bad Guy”.  It is designed to highlight the need to combat the full attack lifecycle, rather than just focusing on the aspect of breach detection.  It sounds like it will be a great discussion.  The timing of release on this report is no coincidence as the company heads into RSA with its leading research in hand.