Old techniques, server misconfigurations and connected devices were all named as security threat culprits in this year’s Cyber Risk Report from HP Security Research.
Attackers continue to leverage well-known techniques to successfully compromise systems and networks, with 44 percent of known breaches coming from vulnerabilities that are 2-4 years old.
Of note is that every one of the top ten vulnerabilities exploited in 2014 took advantage of code written years or even decades ago.
Looking past hackers using old code, the number one vulnerability came in the form of server misconfigurations. Server misconfigurations dominated the list of security concerns in 2014, providing adversaries unnecessary access to files that leave an organisation susceptible to an attack.
The information disclosed to attackers through these misconfigurations provides additional avenues of attack and allows attackers the knowledge needed to ensure their other methods of attack succeed.
The Internet of Things was also to blame for a number of vulnerabilities. As physical devices become connected through the Internet of Things (IoT), the diverse nature of these technologies gives rise to concerns regarding security, and privacy in particular.
HP also pointed to the fact that 2014 was the year when mobile malware stopped being considered just a novelty.
HP also revealed that most vulnerabilities stem from a relatively small number of common software programming errors. Old and new vulnerabilities in software are swiftly exploited by attackers.
"Many of the biggest security risks are issues we’ve known about for decades, leaving organizations unnecessarily exposed," said Art Gilliland, senior vice president and general manager, Enterprise Security Products, HP.
"We can’t lose sight of defending against these known vulnerabilities by entrusting security to the next silver bullet technology; rather, organizations must employ fundamental security tactics to address known vulnerabilities and in turn, eliminate significant amounts of risk."
Alongside identifying vunerabilities, the report also provided advice in how businesses can build defences and stay secure.
HP advised that a comprehensive and timely patching strategy should be employed by network defenders to ensure systems are up-to-date with the latest security protections to reduce the likelihood of these attacks succeeding.
Regular penetration testing and verification of configurations by internal and external entities was also advised, due to the fact that this line of defence can identify configuration errors before attackers exploit them.
HP also recommended collaboration and threat intelligence, in addition to the adoption of a complementary protection strategy.
Where technologies like IoT were concerned, HP said it is imperative for organisations to protect against potential security vulnerabilities by understanding new avenues of attack before they are exploited.