Old software security holes are more stubborn than many think.
A report issued Monday by HP shows that almost half of the companies who suffered a cyber attack in 2014 were hit by hackers taking advantage of old exploits.
In fact, 44 percent of known breaches in 2014 stemmed from vulnerabilities caused by unpatched code that was two to four years old, showing that many companies are not adequately updating security patches, according to HP’s Cyber Risk Report.
“The biggest theme we took out of this is that the past has come back to haunt us,” said Frank Mong, the vice president of solutions enterprise security products for Hewlett-Packard.
“When you look at why people are still getting hacked or breached, I think a big contributor to that is either not knowing if you were patched or if you were patched and you were secure at one point, but something happened in operations that caused you not to be patched again,” Mong said.
For example, when a company’s server goes down, operations will usually reboot or reimage it to get it working again. When this happens, all security patches are lost and must be reinstalled. Because the process of reinstalling all security patches can be very manual, some patches may be missed.
“When you look at the problems we saw in 2014, the devil is in the details and companies need to go back and look at their operational practices because you let one little slip happen and you could have a big problem on your hands,” Mong said.
While old security holes going unpatched was the big reason for cyber incidents last year, more attacks are increasingly targeting connected devices, specifically mobile devices, Mong said.
Mong said that HP researches found no new mobile ransomware samples in January 2014, but by November last year saw 183 new types of ransomware, attacking Android devices.
Google’s Android operating system has become a primary target for hackers because app marketplaces for Android tend to be less regulated. This enables hackers easily to build malicious apps that can be downloaded by anyone.
“That type of surge shows that once we are good corporate citizens and we start patching our servers, start patching our PCs, the adversary starts to maneuver and starts to change the game,” Mong said. “And in this case, they are attacking Android mobile devices because there is opportunity there.”