PALO ALTO, CA — (Marketwired) — 02/17/16 — Hewlett Packard Enterprise (HPE) (NYSE: HPE) today published the , identifying the top security threats plaguing enterprises over the past year.
As the traditional network perimeter disappears and attack surfaces grow, security professionals are challenged with protecting users, applications and data — without stifling innovation or delaying enterprise timelines. This year–s Cyber Risk Report examines the 2015 in this context, providing around key areas of risk including application vulnerabilities, security patching and the growing monetization of malware. The report also highlights important industry issues such as new regulations, the “collateral damage” from high profile data breaches, shifting political agendas, and the ongoing debate over privacy and security.
“In 2015, we saw attackers infiltrate networks at an alarming rate, leading to some of the largest data breaches to date, but now is not the time to take the foot off the gas and put the enterprise on lockdown,” said Sue Barsamian (), senior vice president and general manager, , Hewlett Packard Enterprise. “We must learn from these incidents, understand and monitor the risk environment, and build security into the fabric of the organization to better mitigate known and unknown threats, which will enable companies to fearlessly innovate and accelerate business growth.”
Applications are the New Battlefield
While web applications pose significant risk to enterprises, mobile applications present growing and distinctive risks.
Mobile applications– frequent use of personally identifiable information presents significant vulnerabilities in the storage and transmission of private and sensitive information.(1)
Approximately 75 percent of the mobile applications scanned exhibited at least one critical or high-severity , compared to 35 percent of non-mobile applications.(1)
Vulnerabilities due to API abuse are much more common in mobile applications than web applications, while error handling — the anticipation, detection, and resolution of errors — is more often found in web applications.(1)
Patch or Perish
Software vulnerability exploitation continues to be a primary vector for attack, with mobile exploits gaining traction.
Similar to 2014, the top ten vulnerabilities exploited in 2015 were more than one year old, with 68 percent being three years old or more.(3)
In 2015, Microsoft Windows represented the most targeted software platform, with 42 percent of the top 20 discovered exploits directed at Microsoft platforms and applications.(3)
29 percent of all successful exploits in 2015 continued to use a 2010 Stuxnet infection vector that has been patched twice.(3)
Monetization of Malware
Malware has evolved from being simply disruptive to a revenue-generating activity for attackers. While the overall number of newly discovered malware samples declined 3.6 percent year-over-year, the attack targets shifted notably in line with evolving enterprise trends and focused heavily on monetization.
As the number of connected mobile devices expands, malware is diversifying to target the most popular mobile operating platforms. The number of Android threats, malware, and potentially unwanted applications have grown to more than 10,000 new threats discovered daily, reaching a total year-over-year increase of 153 percent. Apple iOS represented the greatest growth rate, with a malware sample increase of more than 230 percent.(2)
Malware attacks on ATMs use hardware, software loaded onto the ATM, or a combination of both to steal credit card information. In some cases, attacks at the software level bypass card authentication to directly dispense cash.(2)
Banking Trojans, such as variants of the Zbot Trojan, continue to be problematic despite protection efforts. More than 100,000 of these were detected in 2015. (2)
Ransomware is an increasingly successful attack model, with several ransomware families wreaking havoc in 2015 by encrypting files of consumer and corporate users alike. Examples include: Cryptolocker, Cryptowall, CoinVault, BitCryptor, TorrentLocker, TeslaCrypt, and others.(2)
: The network perimeter is vanishing; attackers have shifted focus to target applications directly. Security professionals must adjust their approach accordingly, defending not just the edge but the interactions between users, applications and data regardless of location or device.
: 2015 was a record year for the number of reported and patches issued, but patching does little good if end users don–t install them for fear of unintended consequences.(4) Security teams must be more vigilant about applying patches at both the enterprise and individual user level. Software vendors must be more transparent about the implications of their patches so that end-users aren–t afraid to deploy them.
: Ransomware attacks targeting the enterprise and individuals are on the rise, requiring both increased awareness and preparation on the part of security professionals to avoid the loss of sensitive data. The best protection against ransomware is a sound backup policy for all important files on the system.
: Cross-border agreements pose challenges for enterprises struggling to keep their systems secure and in compliance. Organizations must follow the changing legislative activity closely and maintain a flexible security approach.
: HPE Security Products senior vice president and general manager, Sue Barsamian provides an overview of the threat landscape and a that dedicate their careers to helping the security community better understand the threats their organization–s face.
This year–s details the evolving nature of cybercrime as well as the developing legislation meant to curtail it. Get the key findings and recommendations of this innovative research at a glance.
: Register for the on-demand webcast on March 14 at 11a.m. PT to hear how talks about the key themes and the recommendations you can apply.
Published by , the annual report offers in-depth industry data and analysis on the most pressing security issues, providing business leaders and security professionals with actionable intelligence to better protect their digital enterprises and drive fearless innovation.
The full methodology is detailed in the HPE will be addressing the latest trends in enterprise security at the , taking place February 29 – March 4 in San Francisco. Additional information about HPE at this year–s conference is available Keep up with event happenings by following the event hashtag #RSAC and follow .
HPE Security helps organizations protect their business-critical digital assets by building security into the fabric of the enterprise, detecting and responding to advanced threats, and safeguarding continuity and compliance to effectively mitigate risk. With an integrated suite of market-leading , , and , HPE Security empowers organizations to balance protection with innovation to keep pace with today–s idea economy. Find out more about HPE Security at .
Join HPE Software on and follow on Twitter. To learn more about HPE Enterprise Security products and services on Twitter, please follow and join HPE Enterprise Security on .
Hewlett Packard Enterprise is an industry-leading technology company that enables customers to go further, faster. With the industry–s most comprehensive portfolio, spanning the cloud to the data center to workplace applications, our technology and services help customers around the world make IT more efficient, more productive and more secure.
Forward-Looking Statement
This document contains forward-looking statements within the meaning of the safe harbor provisions of the Private Securities Litigation Reform Act of 1995. Such statements involve risks, uncertainties and assumptions. If such risks or uncertainties materialize or such assumptions prove incorrect, the results of Hewlett Packard Enterprise could differ materially from those expressed or implied by such forward-looking statements and assumptions. All statements other than statements of historical fact are statements that could be deemed forward-looking statements, including any statements of the plans, strategies and objectives of Hewlett Packard Enterprise for future operations; other statements of expectation or belief; and any statements of assumptions underlying any of the foregoing. Risks, uncertainties and assumptions include the possibility that expected benefits may not materialize as expected and other risks that are described in Hewlett Packard Enterprise–s filings with the Securities and Exchange Commission, including but not limited to the risks described in Hewlett Packard Enterprise–s Registration Statement on Form 10 dated July 1, 2015, as amended August 10, 2015, September 4, 2015, September 15, 2015, September 28, 2015 and October 7, 2015. Hewlett Packard Enterprise assumes no obligation and does not intend to update these forward-looking statements.
Embedded Video Available:
You must be logged in to post a comment Login