Security Holes Appear Too Fast To Plug Them All

It’s easy to guard one platform, but impossible to guard every brick.

Despite increases in security spending and giant leaps concerning cybersecurity threats in general, the greatest digital threat most companies face continues to come from within, according to a new study from Hewlett-Packard.

End users unconscious of basic security measures aren’t the only problem, however.

More than half of corporate owned or maintained applications are configured in ways that make them easier to hack due to misconfigured security settings, or because they are set to tell anyone who asks enough about their configuration to make attacks much more convenient to potential attackers.

Part of the problem may be sloppy security, but is mostly due to the increasing complexity of the “attack surface,” which refers to total risk as a combination of all the hardware- software- and procedural vulnerabilities an organization exposes to the works, according to the latest version of HP Security Cyber Risk Report, which was posted Feb. 3.

HP found vulnerabilities in 80 percent of 2,200 applications used by customers, most of them related to server misconfiguration, improper file settings, vendor-supplied sample content, outdated software and other problems created (or not pre-emptively quashed during installation) by the companies themselves.

It also found that big companies can be more vulnerable to known software security flaws than consumers because most organizations insist on researching and testing software patches before installation, to make sure they don’t cause more trouble than they prevent.

“We continue to struggle with using risk management techniques for patch deployment, which introduces a significant security gap—one that software itself cannot address,” according to the report.

Rather than debate whether it’s more dangerous to install an untested patch or leave a known flaw unpatched, HP recommends that corporate security keep a closer eye on which flaws and which applications are being most often used for attacks, and get patches for them approved more quickly than the others, the report said.

Misconfiguring software used in a corporation’s Website is even more dangerous than doing so on internal servers, but leaving a door unclosed or window unlatched is not the only risk.

Many applications (both commercial and homegrown) provide too much information in error messages about what is going on behind the scenes, giving potential attackers pointers on where to focus their efforts or exploits. Fifty-six percent of apps tested gave away potentially useful information on users, implementation or the application itself. Thirty-one percent leaked information through error messages that could have the same effect.

Seventy-two percent of the applications HP tested were vulnerable because of misconfigured authentication, access control, confidentiality, cryptography or privilege management.

For example, in error messages or legitimate responses to queries from client machines, 43 percent of the sites HP tested leaked information about the server by not shutting off the HTTP Options command that lets clients request a list of functions available from the server. Another 37 percent revealed information about the file structure of the server and file-naming conventions by actually including file names in the comments; 15 percent showed their internal IP address as well as external.

“Limiting the amount of readily available information the application, or its implementation, forces the attacker to make assumptions or search for an easier entry point into your application, or preferably, to avoid it altogether and move on to another target,” the report read.

All the same vulnerabilities that can be exploited in other electronics can be exploited in mobile devices, according to HP. Because they perceive the volume of malware and risk of attack as much lower, however, users take far fewer precautions with mobile devices than with their other systems.

Only 52 percent of security issues in mobile devices came from the client side, however; the other 48 percent came from misconfiguration of the server or erratic behavior of server-side applications.

The number of exploits and malware for Windows machines is still so much higher than for Android or iOS that it is unlikely mobile threats will outpace others right away. Since there is no clear definition of what “malware” is on mobile devices, or what rights a mobile app should be allowed to assume, Google and anti-malware companies have very different ideas of what malicious software actually is, making identifying and stopping it even more difficult, according to the report.

HP found that 74 percent of mobile apps take unnecessary permissions for themselves when they install – permissions most users can’t or don’t rescind later. Forty-six percent use encryption badly enough, however, to leave vulnerable even the data users try to protect with encryption.

The growth in attacks on, or vulnerabilities in, mobile devices make it clear that smart sensors and other devices (often described as the “Internet of Things”) should also be considered as potential points of attack.

Similarly, the supervisory control and data acquisition (SCADA) control systems used to run factories and other large facilities remain largely insecure, despite their use of proprietary networking protocols and, often, connections only to private networks.

While the volume of malware, flaws in Java or Internet Explorer and other threats that are only partially controllable continue to grow, it is the list of real or potential vulnerabilities that appears to represent the greatest danger.

To a hacker trying to break into a “secure” server, a user’s login information is the Holy Grail. HP found that 31 percent of corporate applications that require users to log in send that login data across the network without encrypting it first; another 41 percent leave all data vulnerable in motion because they’re unable to enforce policies requiring secure, encrypted connections.

HP also found worrisome growth in the use of and market for zero-day vulnerabilities. Compared with the threat of attack coming in through open windows and doors, however, the risk of attackers sneaking through a secret hole in a basement wall is almost insignificant.


Image: grasycho