HP has released its security research cyber threat report for 2015.
The findings were collated from news headlines, analyst reports and conference findings from 2013 to 2014.
The firm said it also leveraged a number of internal and external resources to identify, research and analyse the findings. The sources included HP’s zero day Initiative, fortify on demand security assessments, HP software security research and ReversingLabs.
HP South Pacific enterprise security products general manager, Shane Bellos, said that many of the biggest security risks are issues the industry has known about for decades.
“We can’t lose sight of defending against these known vulnerabilities by entrusting security to the next silver bullet technology; rather, organisations must employ fundamental security tactics to address known vulnerabilities and in turn, eliminate significant amounts of risk.”
According to the report, 44 per cent of known breaches came from vulnerabilities that were two to four years old. HP said attackers continued to leverage well-known techniques to successfully compromise systems and networks. It said each of the top ten vulnerabilities exploited in 2014 took advantage of code written years or even decades ago.
Server misconfigurations were the number one vulnerability, the report said. Edging out vulnerabilities such as privacy and cookie security issues, server misconfigurations dominated the list of security concerns in 2014, providing attackers unnecessary access to files, leaving organisations susceptible to an attack.
Additional avenues of attack were introduced via connected devices. In addition to security issues presented via Internet of Things (IoT) devices, 2014 also saw an increase in the level of mobile malware detected.
HP said the primary causes of commonly exploited software vulnerabilities are defects, bugs, and logic flaws. Most vulnerabilities stem from a relatively small number of common software programming errors. Old and new vulnerabilities in software are swiftly exploited by attackers.
The report offered a number of recommendations to organisations coping with cyber threats. These included comprehensive and timely patching strategies; regular penetration testing and verification of configurations; introduction of mitigate risk to a network prior to the adoption of new technologies; collaboration and threat intelligence sharing; and adoption of complementary protection strategies.