Feeds

Java, Android were THE wide-open barn doors of security in 2013 - report

Cisco research claims two techs led to nearly all of the exploits

The Essential Guide to IT Transformation

While it was another tough year for network security all around, 2013 was particularly hard on users of Java and Android, new research from Cisco has found.

According to the networking giant's latest Annual Security Report, Java flaws were responsible for 91 per cent of all web-based exploits in 2013. Meanwhile, fully 99 per cent of all mobile malware discovered during the year targeted Android, as did 71 per cent of all web-based attacks on mobile devices.

Attacks targeting Adobe Flash and Adobe Reader/Acrobat – which together once accounted for nearly half of all web-based exploits – paled in comparison to Java exploits in 2013. iOS-specific malware was virtually nonexistent, although fanbois did bear the brunt of 14 per cent of web-based mobile attacks.

That Java should be the source of so many security breaches should come as no surprise to anyone who has followed the seemingly endless series exploits that have been discovered since the fateful summer of 2012.

So many flaws have been found in the Java web plugin now, in fact, that no less than the US Department of Homeland Security has urged Americans to disable Java in their browsers unless it's absolutely necessary, since there are likely to be many more vulnerabilities waiting to be exploited.

Cisco chart comparing exploits targeting Java, Flash, and PDF in 2013

When it came to exploits in 2013, Java made Flash and PDF look like pikers (Source: Cisco)

But these zero-day exploits are only part of the problem. Recent Java 7 releases have plugged many freshly discovered holes, but that only helps if customers are running an up-to-date version.

On the contrary, Cisco says that 76 per cent of customers of its Cisco Web Security services are still running Java 6, which Oracle stopped supporting with fresh security updates in March 2013.

This isn't mere laziness on the customers' part. The same data shows that 90 per cent of those customers are also running Java 7. In many cases, these enterprises run both versions side-by-side because certain of their applications require a specific Java version to run – which unfortunately leaves them vulnerable.

"If security professionals who have limited time to fight web exploits decide to focus most of their attention on Java, they'll be putting their resources in the right place," Cisco's report suggests.

Criminals: These are the droids you're looking for

Similarly, malware developers in the mobile realm seem laser-focused on Android, with Android users experiencing nearly three quarters of all encounters with web-based malware in 2013.

But here the threat profile was a little different. Virtually all malware attacks that were designed to compromise specific handsets targeted Android, but these were actually very rare, accounting for just 1.2 per cent of the total. The vast majority of mobile attacks involved things like phishing, social engineering lures, or forcible redirects to unwanted websites, rather than direct attacks on the device hardware or operating system.

Even so, Android devices were hit 71 per cent of the time. Cisco blames a combination of poor or nonexistent security policies and the popularity of mobile apps for many of these attacks.

"Instituting a formal program for managing mobile devices to help ensure that any device is secure before it can access the network is one solution to improve security for the enterprise," the report states.

Perhaps the most disturbing finding in this year's Cisco report, however, is the overall increase in targeted attacks against businesses, with many attacks aimed at specific industries and vertical markets. For example, while attacks targeting the electronics industry have been seen before, 2013 even saw an increase in attacks against the agriculture and mining sectors, which had previously been seen as low-risk.

Cisco chart showing pervasiveness of malicious traffic types

Wondering if there's dodgy traffic on your network? You're asking the wrong question (Source: Cisco)

Often, Cisco says, criminals will target industry-specific websites to set up "watering holes," malware-spewing sites designed to compromise groups of people with common interests, such as people who work in the same field.

Cisco claims the newest twist is for attackers to target internet infrastructure – including web servers, DNS servers, and data centers – with the goal of using compromised servers to do their dirty work for them, spreading malware far and wide within an organization or an industry.

Given all of this activity, just how prevalent is malware within the typical enterprise? According to Cisco, 92 per cent of the business networks it analyzed showed traffic to websites with no content, which typically host malware. Another 96 per cent showed traffic to hijacked servers. And 100 per cent of the networks surveyed had traffic going to servers that were known malware hosts.

In other words, cyber-crime is now utterly pervasive, and once an attacker manages to gain access to a corporate network, they often hang around for a long time.

"All organizations should assume they've been hacked," Cisco's 2014 Annual Security Report warns, "or at least agree that it's not a question of if they will be targeted for an attack, but when ... and for how long." ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.