Cyber criminals taking advantage of unpatched code: report

Forty-four per cent of cyber attacks worldwide in 2014 were caused by unpatched code, says HP

Unpatched code proved to be a hunting happy hunting ground for cyber criminals during 2014 according to a new report by HP.

The vendor’s annual Cyber Risk Report found that 44 per cent of attacks last year were due to unpatched code that was two to four years old.

“Exploitation of widely deployed client-side and server-side applications are still commonplace. These attacks are even more prevalent in poorly coded middleware applications, such as software as a service [SaaS],” read the report.

“Businesses should employ a comprehensive patching strategy to ensure systems are up to date with the latest security protections to reduce the likelihood of these attacks succeeding.”

The remaining 56 per cent of attacks last year were caused by server misconfigurations, Internet of Things (IoT) devices and mobile malware.

According to HP, server misconfigurations were the number one vulnerability in 2014, followed by privacy and cookie security issues. Server misconfigurations were also the number one vulnerability in the vendor’s 2013 report.

“Our findings show that access to unnecessary files and directories seems to dominate the server misconfiguration related issues. The information disclosed to attackers through these misconfigurations provides additional avenues of attack and allows attackers the knowledge needed to ensure their other methods of attack succeed,” read the report.

The report advised that regular penetration testing and verification of configurations could identify configuration errors before cyber criminals exploit them.

HP South Pacific's enterprise security products general manager, Shane Bellos, provided some tips for organisations to improve their security.

“Collaboration and threat intelligence sharing is key to cooperatively addressing threats across the security industry. This enables organisations to gain insight into adversarial tactics, allowing for more proactive defence, strengthened protections offered in security solutions, and an overall safer environment,” he said in a statement.

“Complementary protection strategy should be adopted along with the mentality that you could be breached. There is no silver bullet solution, and defenders should implement a complementary, layered set of security tactics to ensure the best defence,” said Bellos.

Computerworld Australia contacted HP for more information.

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU, or take part in the Computerworld conversation on LinkedIn: Computerworld Australia