Severe attacks against corporate computers increasing - report

Known vulnerabilities in commercial applications are declining, but 'severe' attacks have increased against both client/server and web applications

Known vulnerabilities in commercial applications are declining, but "severe" attacks have increased against both client/server and web applications, according to HP's 2011 Top Cyber Security Risks report.

New vulnerabilities in commercial applications have declined by almost 40 per cent since 2006 – just under 20 per cent between 2010 and 2011.

"This decline is due to several factors, including the advent of a private market for sharing vulnerabilities. In addition, the proliferation of custom-built web applications, such as retail web sites, has created a market for unique vulnerability exploits that require advanced expertise to locate and address," states the report.

Other findings include:

• Although the number of vulnerability reports have declined, attacks have more than doubled;
• Some 24 per cent of new vulnerabilities disclosed in commercial applications in 2011 were given a severity rating of between eight and 10. Such a rating implies that the vulnerabilities allow remote-code execution – the most dangerous type of attack;
• About 36 per cent of all vulnerabilities lie in commercial web applications;
• Approximately 86 per cent of web applications are vulnerable to an injection attack, which enable attackers to access internal databases via a website;
• Web exploit toolkits remain popular among hackers. These packaged frameworks are traded online and enable attackers to access enterprise IT systems. Blackhole Exploit Kit is the most widely used.

The report uses real data pulled from the HP TippingPoint Intrusion Prevention System (IPS) and HP Fortify.

The data is broken down by attacks, vulnerability category, source information, and severity to provide a snapshot of the attack landscape. This section also features an actual case study of the Web application risks at one large corporation.

The report can be downloaded here (Adobe Acrobat required).