The report provides the information to help enterprises and governments understand the threat landscape and assess their security posture.
The report also indicates that hacker motivations are continuously changing due to the growing presence of “hacktivist” groups, such as Anonymous and LulzSec, which perform highly organized attacks in retaliation for perceived wrongdoing.
In addition to changing motivation, advances in attack techniques have led to the increased “success” rate of security breaches. As a result, enterprises and governments are faced with new challenges in assessing and remediating risks.
Historically, the number of vulnerabilities disclosed in a year indicated the current state of the security industry and helped organizations prioritize their defenses.
According to the report, pure vulnerability volume is no longer a valid indicator of the security risk landscape. While newly reported vulnerabilities in commercial applications continue to decline, a large number of vulnerabilities are unaccounted for, and are therefore undisclosed to the broader security industry.
Shifting vulnerability landscape
Disclosure of new vulnerabilities in commercial applications has slowly declined since 2006, dropping nearly 20 percent in 2011 from the previous year. However, data from the report demonstrates that this decline does not signify decreased risk.
This decline is due to several factors, including the advent of a private market for sharing vulnerabilities. In addition, the proliferation of custom-built web applications, such as retail web sites, has created a market for unique vulnerability exploits that require advanced expertise to locate and address.
Key findings from the report include:
- Although vulnerability reports have declined, attacks have more than doubled as measured by HP TippingPoint Intrusion Prevention Systems (IPS) in the second half of 2011.
- Nearly 24 percent of new vulnerabilities disclosed in commercial applications in 2011 have a severity rating of 8 to 10. These vulnerabilities can result in a remote code execution, the most dangerous type of attack.
- Roughly 36 percent of all vulnerabilities are in commercial web applications.
- Approximately 86 percent of web applications are vulnerable to an injection attack, which is when hackers access internal databases through a website.
- Due to a high success rate, web exploit toolkits continued to be popular in 2011. These “packaged” attack frameworks are traded or sold online, enabling hackers to access enterprise IT systems and steal sensitive data. For example, the Blackhole Exploit Kit is used by most cybercriminals, and reached an usually high infection rate of more than 80 percent in late November 2011.