Despite all the publicity about zero-day exploits, a big percentage of breaches (44 per cent) come from vulnerabilities which are two to four years old.
Server misconfigurations were the number one vulnerability, according to the latest edition of HP’s annual Cyber Risk Report, which concludes that well-known issues posed the biggest threats to online security.
Server misconfigurations provided adversaries unnecessary access to files which leaves an organisation susceptible to an attack.
The primary causes of commonly exploited software vulnerabilities turned out to be either defects, bugs, or logic flaws. Most vulnerabilities stem from a relatively small number of common software programming errors.
Every one of the top ten vulnerabilities exploited in 2014 took advantage of code written years or even decades ago, according to HP, which recorded an increase in the level of mobile malware detected.
“Many of the biggest security risks are issues we’ve known about for decades, leaving organisations unnecessarily exposed,” said Art Gilliland, senior vice president and general manager, Enterprise Security Products, HP.
“We can’t lose sight of defending against these known vulnerabilities by entrusting security to the next silver bullet technology; rather, organisations must employ fundamental security tactics to address known vulnerabilities and in turn, eliminate significant amounts of risk," he added.
Threats can be minimised with a well-thought-out patching strategy, regular penetration testing, layered security defences, threat intelligence sharing and a strategy for introducing new technologies.
The HP Cyber Risk Report takes data from a number of sources including HP Zero Day Initiative, HP Fortify on Demand security assessments, HP Software Security Research and ReversingLabs, as well as external sources. ®