High profile software bugs like Heartbleed and Shellshock have caused a stir in the IT industry, but many security breaches last year took advantage of software vulnerabilities that were at least two years old.
These were some of the findings revealed in HP’s annual Cyber Risk Report, which analyses the most pressing security issues affecting enterprises in 2014.
According to HP, the top exploit in 2014 was a bug in Microsoft’s Windows Shell that allows remote attackers to execute arbitrary code. It was discovered in 2010, and was responsible for 33 per cent of breaches last year.
“None of the top 10 exploits took advantage of the zero-day bugs last year,” said Art Gilliland, senior vice president and general manager of enterprise security products at HP.
“All the stuff about Heartbleed, Shellshock and Poodle didn’t even make it into the top 10 exploits,” he added.
Gilliland said because newly discovered zero-day bugs are getting so much attention, IT administrators are not doing enough to plug security loopholes that have existed for as long as five years.
The patches for these loopholes could have been missed by IT administrators who needed to get a new system up and running quickly, he said. “We have to start thinking about how to better patch vulnerabilities that we already know about”.
Besides software vulnerabilities, misconfigured servers were also one of the top causes of security breaches, according to HP.
Misconfigured servers could allow attackers to access critical systems or files that are more important than the ones being breached. “For example, if you break into a web server, you could get access to a database that the web server doesn’t need,” he said.
In addition, HP found that mobile devices were also targeted through more mobile malware. Mobile web apps were also found to have fewer vulnerabilities compared to native apps, Gilliland said.
To address these security bugbears, Gilliland advised organisations to adopt a “comprehensive and timely patching strategy” to ensure systems are up-to-date and reduce the chances of a successful breach.
They should also conduct regular penetration testing and verify the configurations of their IT systems by working with security vendors, he said.
But more importantly, Gilliland said organisations should develop capabilities, not just in preventing attacks, but also in detecting cyber criminals who have broken into their systems to steal sensitive data.
“Companies spend about 85 per cent of their resources to block the bad guys,” he said. “But if you’re competing against an adversary who is the best in the world, you’re going to lose if you’re spending less than 15 per cent of your budget to find him.”