75% of mobile apps scanned contained at least one critical/high-severity security vulnerability: Hewlett Packard Enterprise

About three-quarters of mobile applications scanned for a recent Hewlett Packard Enterprise (HPE) cyber risk report exhibited at least one critical or high-severity security vulnerability, the company has reported.

The HPE Cyber Risk Report 2016, published last week, identified the top security threats plaguing enterprises over the past year. HPE noted that approximately 75% of the mobile apps scanned exhibited at least one critical or high-security security vulnerability, compared to 35% of non-mobile apps. “Mobile applications’ frequent use of personally identifiable information presents significant vulnerabilities in the storage and transmission of private and sensitive information,” HPE noted in a press release.

The report found that software vulnerability exploitation continues to be a primary vector for attack, but mobile exploits are gaining traction. Similar to 2014, the report said, the top 10 vulnerabilities exploited in 2015 were more than one year old, with 68% being three years old or more. For example, 29% of all successful exploits in 2015 continued to use a 2010 Stuxnet infection vector that has been patched twice.

Malware has also evolved from being “simply disruptive” to a revenue-generating activity for attackers. While the overall number of newly discovered malware samples declined 3.6% year-over-year, the attack targets shifted notably in line with evolving enterprise trends and focused heavily on monetization, HPE reported.

As the number of connected mobile devices expands, malware is diversifying to target the most popular mobile operating platforms. The number of Android threats, malware, and potentially unwanted applications have grown to more than 10,000 new threats discovered daily, reaching a total year-over-year increase of 153%, the report said. Apple iOS represented the greatest growth rate, with a malware sample increase of more than 230%.

Ransomware is an increasingly successful attack model, with several ransomware families wreaking havoc in 2015 by encrypting files of consumer and corporate users alike, HPE said, using the examples of Cryptolocker, Cryptowall, CoinVault, BitCryptor, TorrentLocker, TeslaCrypt and others. Just last week, the president and CEO of the Hollywood Presbyterian Medical Center in Los Angeles said that the hospital paid approximately 40 bitcoins – or US$17,000 – to hackers following a ransomware attack. “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” the hospital’s president and CEO, Allen Stefanek, said at the time. “In the best interest of restoring normal operations, we did this.”

Among other suggestions, the authors of the report recommend that:

• Security professionals adjust their approach, defending “not just the edge, but the interactions between users, applications and data regardless of location or device.” Attackers have shifted their focus to target applications directly, the report noted;

• Security teams be more vigilant about applying patches at both the enterprise and individual user level. Software vendors must also be more transparent about the implications of their patches so that end-users aren’t afraid to deploy them;

• There is a sound backup policy for all important files on the system, as ransomware attacks targetting both the enterprise and individuals are on the rise; and

• Organizations follow the changing legislative activity closely and maintain a flexible security approach.

“In 2015, we saw attackers infiltrate networks at an alarming rate, leading to some of the largest data breaches to date, but now is not the time to take the foot off the gas and put the enterprise on lockdown,” said Sue Barsamian, senior vice president and general manager, HPE Security Products, Hewlett Packard Enterprise. “We must learn from these incidents, understand and monitor the risk environment, and build security into the fabric of the organization to better mitigate known and unknown threats, which will enable companies to fearlessly innovate and accelerate business growth.”