While it was another tough year for network security all around, 2013 was particularly hard on users of Java and Android, new research from Cisco has found.
According to the networking giant's latest Annual Security Report, Java flaws were responsible for 91 per cent of all web-based exploits in 2013. Meanwhile, fully 99 per cent of all mobile malware discovered during the year targeted Android, as did 71 per cent of all web-based attacks on mobile devices.
Attacks targeting Adobe Flash and Adobe Reader/Acrobat – which together once accounted for nearly half of all web-based exploits – paled in comparison to Java exploits in 2013. iOS-specific malware was virtually nonexistent, although fanbois did bear the brunt of 14 per cent of web-based mobile attacks.
That Java should be the source of so many security breaches should come as no surprise to anyone who has followed the seemingly endless series exploits that have been discovered since the fateful summer of 2012.
So many flaws have been found in the Java web plugin now, in fact, that no less than the US Department of Homeland Security has urged Americans to disable Java in their browsers unless it's absolutely necessary, since there are likely to be many more vulnerabilities waiting to be exploited.
When it came to exploits in 2013, Java made Flash and PDF look like pikers (Source: Cisco)
But these zero-day exploits are only part of the problem. Recent Java 7 releases have plugged many freshly discovered holes, but that only helps if customers are running an up-to-date version.
On the contrary, Cisco says that 76 per cent of customers of its Cisco Web Security services are still running Java 6, which Oracle stopped supporting with fresh security updates in March 2013.
This isn't mere laziness on the customers' part. The same data shows that 90 per cent of those customers are also running Java 7. In many cases, these enterprises run both versions side-by-side because certain of their applications require a specific Java version to run – which unfortunately leaves them vulnerable.
"If security professionals who have limited time to fight web exploits decide to focus most of their attention on Java, they'll be putting their resources in the right place," Cisco's report suggests.
Criminals: These are the droids you're looking for
Similarly, malware developers in the mobile realm seem laser-focused on Android, with Android users experiencing nearly three quarters of all encounters with web-based malware in 2013.
But here the threat profile was a little different. Virtually all malware attacks that were designed to compromise specific handsets targeted Android, but these were actually very rare, accounting for just 1.2 per cent of the total. The vast majority of mobile attacks involved things like phishing, social engineering lures, or forcible redirects to unwanted websites, rather than direct attacks on the device hardware or operating system.
Even so, Android devices were hit 71 per cent of the time. Cisco blames a combination of poor or nonexistent security policies and the popularity of mobile apps for many of these attacks.
"Instituting a formal program for managing mobile devices to help ensure that any device is secure before it can access the network is one solution to improve security for the enterprise," the report states.
Perhaps the most disturbing finding in this year's Cisco report, however, is the overall increase in targeted attacks against businesses, with many attacks aimed at specific industries and vertical markets. For example, while attacks targeting the electronics industry have been seen before, 2013 even saw an increase in attacks against the agriculture and mining sectors, which had previously been seen as low-risk.
Wondering if there's dodgy traffic on your network? You're asking the wrong question (Source: Cisco)
Often, Cisco says, criminals will target industry-specific websites to set up "watering holes," malware-spewing sites designed to compromise groups of people with common interests, such as people who work in the same field.
Cisco claims the newest twist is for attackers to target internet infrastructure – including web servers, DNS servers, and data centers – with the goal of using compromised servers to do their dirty work for them, spreading malware far and wide within an organization or an industry.
Given all of this activity, just how prevalent is malware within the typical enterprise? According to Cisco, 92 per cent of the business networks it analyzed showed traffic to websites with no content, which typically host malware. Another 96 per cent showed traffic to hijacked servers. And 100 per cent of the networks surveyed had traffic going to servers that were known malware hosts.
In other words, cyber-crime is now utterly pervasive, and once an attacker manages to gain access to a corporate network, they often hang around for a long time.
"All organizations should assume they've been hacked," Cisco's 2014 Annual Security Report warns, "or at least agree that it's not a question of if they will be targeted for an attack, but when ... and for how long." ®