Feeds

Java, Android were THE wide-open barn doors of security in 2013 - report

Cisco research claims two techs led to nearly all of the exploits

The essential guide to IT transformation

While it was another tough year for network security all around, 2013 was particularly hard on users of Java and Android, new research from Cisco has found.

According to the networking giant's latest Annual Security Report, Java flaws were responsible for 91 per cent of all web-based exploits in 2013. Meanwhile, fully 99 per cent of all mobile malware discovered during the year targeted Android, as did 71 per cent of all web-based attacks on mobile devices.

Attacks targeting Adobe Flash and Adobe Reader/Acrobat – which together once accounted for nearly half of all web-based exploits – paled in comparison to Java exploits in 2013. iOS-specific malware was virtually nonexistent, although fanbois did bear the brunt of 14 per cent of web-based mobile attacks.

That Java should be the source of so many security breaches should come as no surprise to anyone who has followed the seemingly endless series exploits that have been discovered since the fateful summer of 2012.

So many flaws have been found in the Java web plugin now, in fact, that no less than the US Department of Homeland Security has urged Americans to disable Java in their browsers unless it's absolutely necessary, since there are likely to be many more vulnerabilities waiting to be exploited.

Cisco chart comparing exploits targeting Java, Flash, and PDF in 2013

When it came to exploits in 2013, Java made Flash and PDF look like pikers (Source: Cisco)

But these zero-day exploits are only part of the problem. Recent Java 7 releases have plugged many freshly discovered holes, but that only helps if customers are running an up-to-date version.

On the contrary, Cisco says that 76 per cent of customers of its Cisco Web Security services are still running Java 6, which Oracle stopped supporting with fresh security updates in March 2013.

This isn't mere laziness on the customers' part. The same data shows that 90 per cent of those customers are also running Java 7. In many cases, these enterprises run both versions side-by-side because certain of their applications require a specific Java version to run – which unfortunately leaves them vulnerable.

"If security professionals who have limited time to fight web exploits decide to focus most of their attention on Java, they'll be putting their resources in the right place," Cisco's report suggests.

Criminals: These are the droids you're looking for

Similarly, malware developers in the mobile realm seem laser-focused on Android, with Android users experiencing nearly three quarters of all encounters with web-based malware in 2013.

But here the threat profile was a little different. Virtually all malware attacks that were designed to compromise specific handsets targeted Android, but these were actually very rare, accounting for just 1.2 per cent of the total. The vast majority of mobile attacks involved things like phishing, social engineering lures, or forcible redirects to unwanted websites, rather than direct attacks on the device hardware or operating system.

Even so, Android devices were hit 71 per cent of the time. Cisco blames a combination of poor or nonexistent security policies and the popularity of mobile apps for many of these attacks.

"Instituting a formal program for managing mobile devices to help ensure that any device is secure before it can access the network is one solution to improve security for the enterprise," the report states.

Perhaps the most disturbing finding in this year's Cisco report, however, is the overall increase in targeted attacks against businesses, with many attacks aimed at specific industries and vertical markets. For example, while attacks targeting the electronics industry have been seen before, 2013 even saw an increase in attacks against the agriculture and mining sectors, which had previously been seen as low-risk.

Cisco chart showing pervasiveness of malicious traffic types

Wondering if there's dodgy traffic on your network? You're asking the wrong question (Source: Cisco)

Often, Cisco says, criminals will target industry-specific websites to set up "watering holes," malware-spewing sites designed to compromise groups of people with common interests, such as people who work in the same field.

Cisco claims the newest twist is for attackers to target internet infrastructure – including web servers, DNS servers, and data centers – with the goal of using compromised servers to do their dirty work for them, spreading malware far and wide within an organization or an industry.

Given all of this activity, just how prevalent is malware within the typical enterprise? According to Cisco, 92 per cent of the business networks it analyzed showed traffic to websites with no content, which typically host malware. Another 96 per cent showed traffic to hijacked servers. And 100 per cent of the networks surveyed had traffic going to servers that were known malware hosts.

In other words, cyber-crime is now utterly pervasive, and once an attacker manages to gain access to a corporate network, they often hang around for a long time.

"All organizations should assume they've been hacked," Cisco's 2014 Annual Security Report warns, "or at least agree that it's not a question of if they will be targeted for an attack, but when ... and for how long." ®

Next gen security for virtualised datacentres

More from The Register

next story
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
Germany 'accidentally' snooped on John Kerry and Hillary Clinton
Dragnet surveillance picks up EVERYTHING, USA, m'kay?
Linux kernel devs made to finger their dongles before contributing code
Two-factor auth enabled for Kernel.org repositories
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.