View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
February 23, 2015updated 19 Aug 2016 4:02pm

Hackers not having to reinvent the wheel to attack

44% of breaches came from vulnerabilities that are 2-4 years old.

By Ellie Burns

Old techniques, server misconfigurations and connected devices were all named as security threat culprits in this year’s Cyber Risk Report from HP Security Research.

Attackers continue to leverage well-known techniques to successfully compromise systems and networks, with 44 percent of known breaches coming from vulnerabilities that are 2-4 years old.

Of note is that every one of the top ten vulnerabilities exploited in 2014 took advantage of code written years or even decades ago.

Looking past hackers using old code, the number one vulnerability came in the form of server misconfigurations. Server misconfigurations dominated the list of security concerns in 2014, providing adversaries unnecessary access to files that leave an organisation susceptible to an attack.

The information disclosed to attackers through these misconfigurations provides additional avenues of attack and allows attackers the knowledge needed to ensure their other methods of attack succeed.

The Internet of Things was also to blame for a number of vulnerabilities. As physical devices become connected through the Internet of Things (IoT), the diverse nature of these technologies gives rise to concerns regarding security, and privacy in particular.

HP also pointed to the fact that 2014 was the year when mobile malware stopped being considered just a novelty.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

HP also revealed that most vulnerabilities stem from a relatively small number of common software programming errors. Old and new vulnerabilities in software are swiftly exploited by attackers.

"Many of the biggest security risks are issues we’ve known about for decades, leaving organizations unnecessarily exposed," said Art Gilliland, senior vice president and general manager, Enterprise Security Products, HP.

"We can’t lose sight of defending against these known vulnerabilities by entrusting security to the next silver bullet technology; rather, organizations must employ fundamental security tactics to address known vulnerabilities and in turn, eliminate significant amounts of risk."

Alongside identifying vunerabilities, the report also provided advice in how businesses can build defences and stay secure.

HP advised that a comprehensive and timely patching strategy should be employed by network defenders to ensure systems are up-to-date with the latest security protections to reduce the likelihood of these attacks succeeding.

Regular penetration testing and verification of configurations by internal and external entities was also advised, due to the fact that this line of defence can identify configuration errors before attackers exploit them.

HP also recommended collaboration and threat intelligence, in addition to the adoption of a complementary protection strategy.

Where technologies like IoT were concerned, HP said it is imperative for organisations to protect against potential security vulnerabilities by understanding new avenues of attack before they are exploited.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.