HP Security Research | Cyber Risk Report 2015IntroductionEditors’ note: While our previous CyberRisk Reports were numbered accordingto the year of data covered (e.g., “CyberRisk Report 2013” was released in2014), we are updating our numberingconvention to match industry practices.Welcome to the HP Cyber Risk Report 2015. In this <strong>report</strong> weprovide a broad view of the 2014 threat landscape, rangingfrom industry-wide data down to a focused look at differenttechnologies, including open source, mobile, and the Internetof Things. The goal of this Report is to provide <strong>security</strong>information leading to a better understanding of the threatlandscape, and to provide resources that can aid in minimizing<strong>security</strong> <strong>risk</strong>.It is my pleasure to welcome you to our 2015 Cyber Risk Report. HP Security Research publishes many documentsthroughout the year detailing our <strong>research</strong> and findings, but our annual Risk Report stands slightly removed from theday-to-day opportunities and crises our <strong>research</strong>ers and other <strong>security</strong> professionals face.A look back at <strong>security</strong> developments over the course of a full year serves an important purpose for those charged withshaping enterprise <strong>security</strong> responses and strategies. In the wake of the significant breaches of 2014, I believe it’s moreimportant than ever that our <strong>cyber</strong> <strong>security</strong> <strong>research</strong> team continues to provide an elevated perspective on the overall trendsin the marketplace.The global economic recovery continued this year, and it was probably inevitable that as businesses rebounded, the <strong>security</strong>challenges facing them became more complex. Enterprises continued to find inexpensive access to capital; unfortunately,so did adversaries, some of whom launched remarkably determined and formidable attacks over the course of the year asdocumented by our field intelligence team.Our <strong>research</strong>ers saw that despite new technologies and fresh investments from both adversaries and defenders alike, the<strong>security</strong> realm is still encumbered by the same problems—even in some cases by the very same bugs—that the industryhas been battling for years. The work of our threat <strong>research</strong> and software <strong>security</strong> <strong>research</strong> teams revealed vulnerabilitiesin products and programs that were years old—in a few cases, decades old. Well-known attacks were still distressinglyeffective, and misconfiguration of core technologies continued to plague systems that should have been far more stable andsecure than they in fact proved to be.We are, in other words, still in the middle of old problems and known issues even as the pace of the <strong>security</strong> world quickensaround us. Our <strong>cyber</strong> <strong>security</strong> <strong>research</strong> team has expanded over the course of the year, and so has this Risk Report, bothcovering familiar topics in greater depth and adding coverage of allied issues such as privacy and Big Data. In addition, ourpeople work to share their findings and their passion for <strong>security</strong> and privacy <strong>research</strong> with the industry and beyond. ThisRisk Report is one form of that; our regular Security Briefings and other publications are another form, and we hope toremain in touch with you throughout the year as themes presented in this Report are developed in those venues.Security practitioners must ready themselves for greater public and industry scrutiny in 2015, and we know that threatactors—encouraged by public attention paid to their actions—will continue their attempts to disrupt and capitalize on bugsand defects. The HP Security Research group continues to prepare for the challenges the year will doubtless pose, and alsointends to invest in driving our thought leadership inside the <strong>security</strong> community and beyond it.Art GillilandSVP and General Manager, Enterprise Security Products
HP Security Research | Cyber Risk Report 2015Table of contents2 Introduction4 About HP Security Research4 Our data4 Key themes6 The <strong>security</strong> conversation8 Threat actors8 Nation-state supported activity12 The <strong>cyber</strong> underground12 Conclusion13 Vulnerabilities and exploits15 Weaknesses in enterprise middleware15 Vulnerability and exploits trends in 2014(Windows case)18 Malware and exploits18 Top CVE-2014 numbers collected in 201419 Top CVE-2014 for malware attacks20 Top CVE numbers seen in 201422 Defenders are global23 Conclusion24 Threats24 Windows malware overview27 Notable malware29 Proliferation of .NET malware in 201431 ATM malware attacks32 Linux malware34 Mobile malware35 Android anti-malware market36 Top Android malware families in 201436 Notable Android malware in 201439 Conclusion40 Risks: Spotlight on privacy42 Exposures42 Emerging avenues for compromise:POS and IoT42 The evolution of POS malware46 The Internet of Things49 Conclusion49 Controls50 Distribution by kingdom52 Breakdown of top five Web applicationvulnerabilities53 Top 10 Web application vulnerabilities55 Breakdown of the top five mobileapplication vulnerabilities56 Top 10 mobile application vulnerabilities58 Open source software dependencies61 The Heartbleed effect63 Remediation of static issues65 Conclusion66 Summary68 Authors and contributors69 Glossary
Change language