Good news! We have new data from Hewlett-Packard on the state of the cyber union.
Bad news! The new data from HP is deceptively positive.
Not that HP is being deceiving — they’re most decidedly not — but rather the apparent decline in reported security vulnerabilities flies in the face of our everyday experience and is hence cause for concern.
What to make of it?
By Dune Lawrance in Bloomberg Businessweek.
Emphasis in red added by me.
Brian Wood, VP Marketing
HP Depresses Us Some More on the State of CyberSecurity
At least one organization can take heart at reading this year’s HP Security Research Cyber Risk Report, and that’s the National Security Agency. The vast, and growing, vulnerability in the software that companies deploy in their businesses, highlighted by today’s study, makes the spy agency’s job a lot easier. For the rest of us, it’s depressing.
Hewlett-Packard, now a big player in cybersecurity services, has put out the annual assessment since 2009. The company runs one of the biggest vulnerability reward programs, paying researchers who disclose bugs in commercial software so that they can be fixed.
The total number of new vulnerabilities reported through November 2013 was 4,704, a 6 percent decline from a year earlier, according to HP. Reporting of the most severe vulnerabilities fell 9 percent. While that might seem like a good thing, it’s probably not, says Jacob West, chief technology officer for enterprise security products at HP. The optimistic view would be that investments in security are paying off, but West doesn’t buy it.
“We’re building and using more and more systems—they’re changing quickly,” West says. “We’ve got new technology like mobile being introduced. As the attack surface is growing so quickly, that there are fewer problems to be found is unlikely.” More likely it’s a sign that instead of being reported, the most severe—i.e., most valuable—vulnerabilities are being sold on the black market to cybercriminals, or into the gray market, where they’re bought up and disclosed only selectively to paying subscribers who may exploit them.
As West points out, mobile technology has introduced an arena of insecurity. The HP study looked at 180 mobile applications for both Apple’s iOS software and Google’s Android operating system and found that almost half—46 percent—either failed to use encryption at all or used it improperly, leaving sensitive data potentially exposed.
Another part of the growing attack surface are industrial control systems called supervisory control and data acquisition (Scada) systems, used in industries from manufacturing to power generation. In the past, these tended to operate on private, closed networks; now they’re increasingly linked to corporate networks and the public Internet, making them a tempting target, says West.
Microsoft’s Internet Explorer was the most targeted product, accounting for more than 50 percent of vulnerabilities submitted to the Zero Day Initiative, HP’s’s vulnerability disclosure program.
The study highlights some areas of “low-hanging fruit” that companies should look out for. Eighty percent of applications are insecure because they’re deployed improperly—the wrong file settings, outdated software versions, or server misconfiguration—not because of flaws in the source code, HP found, and companies should audit software for such problems.
Another weakness is software that gives out too much information. More than half of the applications HP tested exhibited weaknesses to revealing information about the application, its implementation, or its users. A concrete example comes from something we’re all familiar with—logging into an application. When you type in a username and password, maybe you typed one of them incorrectly, and the resulting screen tells you so. From your perspective, it’s helpful to know whether you entered the wrong username or the wrong password. But that’s also helpful to attackers trying to break in, because this tells them which part they got right. From a security perspective, it’s better if the error screen doesn’t specify which piece was incorrect.
“That’s a great example of an application not providing as much information,” says West. “The significance for developers and the people operating these software systems is that what might have been benign a year or two years ago, in terms of information that might have made it a better user experience, that that information is taking on a greater significance for attackers.”