Mobile devices, insecure software and Java make for growing attack surface

An ever-widening attack surface means IT security professionals need to approach their jobs in a new way, according to a new report from Hewlett-Packard Co.

The report from HP Security Research seeks to identify the top enterprise security vulnerabilities and provide analysis of the expanding threat landscape. It identifies our increased reliance on mobile devices, the proliferation of insecure software and the wide use of Java as contributing to a growing attack surface in 2013.

“Adversaries today are more adept than ever and are collaborating more effectively to take advantage of vulnerabilities across an ever-expanding attack surface,” said Jacob West, chief technology officer for enterprise security products at HP, in a statement. “The industry must band together to proactively share security intelligence and tactics in order to disrupt malicious activities driven by the growing underground marketplace.”

Related News

Improving security in the data centre

Shortage of IT security pros putting networks at risk: Cisco

McAfee brand will be phased out by Intel

Diving into the findings, while a six per cent decline in the number of publicly disclosed vulnerabilities and a nine per cent dip in the number of high-severity vulnerabilities could be viewed as a positive, HP cautioned this may be an indicator of a surge in vulnerabilities that aren’t being disclosed, and instead are being delivered to the security black market for exploitation.

A lack of consistency across security platforms was identified as a concern, particularly when it comes to defining malware. When examining more than 500,000 mobile applications for Android, HP said it found major discrepancies between how antivirus engines and mobile platform vendors defined and classified malware.

Just 46 per cent of mobile applications that were examined used encryption properly, and sandbox bypass vulnerabilities were the most prevalent and damaging for Java users.

To reduce enterprise risk in this changing threat landscape, HP said both organizations and developers should stay aware of security pitfalls in frameworks and other third-party code, particularly when it comes to hybrid mobile development platforms. A combination of people, process and technology can minimize the attack surface, and more collaboration and threat intelligence sharing within the security industry is needed for a stronger and more effective defence.

Author: Jeff Jedras

A veteran technology and business journalist, Jeff Jedras began his career in technology journalism in the late 1990s, covering the booming (and later busting) Ottawa technology sector for Silicon Valley North and the Ottawa Business Journal, as well as everything from municipal politics to real estate.He later covered the technology scene in Vancouver before joining IT World Canada in Toronto in 2005, covering enterprise IT for ComputerWorld Canada. He would go on to cover the channel as an assistant editor with CDN.His writing has appeared in the Vancouver Sun, the Ottawa Citizen and a wide range of industry trade publications.