As the traditional network perimeter disappears and attack surfaces grow, mobile applications present growing and distinctive risks. Attackers have shifted focus to target applications directly.
According to the Hewlett Packard Enterprise (HPE) Cyber Risk Report 2016, approximately 75% of the mobile applications scanned exhibited at least one critical or high-severity security vulnerability, compared to 35% of non-mobile applications. This makes mobile applications' frequent use of personally identifiable information of heightened concern.
“Security professionals must adjust their approach accordingly, defending not just the edge but the interactions between users, applications and data regardless of location or device,” the report noted.
The report also found that vulnerabilities due to API abuse are much more common in mobile applications than web applications, while error handling—the anticipation, detection, and resolution of errors—is more often found in web applications.
The report also took a look at malware, which has evolved from being simply disruptive to a revenue-generating activity for attackers. While the overall number of newly discovered malware samples declined 3.6% year-over-year, the attack targets shifted notably in line with evolving enterprise trends and focused heavily on monetization.
For instance, ransomware attacks targeting the enterprise and individuals are on the rise, requiring both increased awareness and preparation on the part of security professionals to avoid the loss of sensitive data. The best protection against ransomware is a sound backup policy for all important files on the system.
Here, too, mobility is moving the dial. As the number of connected mobile devices expands, malware is diversifying to target the most popular mobile operating platforms. The number of Android threats, malware, and potentially unwanted applications have grown to more than 10,000 new threats discovered daily, reaching a total year-over-year increase of 153%. Apple iOS represented the greatest growth rate, with a malware sample increase of more than 230%.
In terms of overall volume, the desktop/laptop world is still the most dangerous. Software vulnerability exploitation continues to be a primary vector for attack, with mobile exploits gaining traction. As expected, Microsoft Windows represented the most targeted software platform, with 42% of the top 20 discovered exploits directed at Microsoft platforms and applications.
Disturbingly, the top 10 vulnerabilities exploited in 2015 were more than one year old, with 68% being three years old or more. Further, almost a third (29%) of all successful exploits in 2015 continued to use a 2010 Stuxnet infection vector that has been patched twice.
“2015 was a record year for the number of security vulnerabilities reported and patches issued, but patching does little good if end users don't install them for fear of unintended consequences,” the report noted. “Security teams must be more vigilant about applying patches at both the enterprise and individual user level. Software vendors must be more transparent about the implications of their patches so that end-users aren't afraid to deploy them.”
Photo © Oleksiy Mark