Daily Video: Lack of Patching Remains a Top Security Risk, HP Finds
Organizations aren't properly patching their systems, according to the findings of Hewlett-Packard's 2015 Cyber Risk report. The study used data collected across HP's security teams in 2014 to determine that 44 percent of system breaches could be attributed to patched vulnerabilities that were between 2 and 4 years old.
Jewel Timpe, manager of threat research for HP Security Research, told eWEEK that patching is hard for a number of reasons. She explained that in enterprises, the sheer volume of patches IT departments need to apply across multiple systems, while ensuring the patch doesn't break any custom applications or business critical applications is daunting and resource-heavy.
Java-related exploits are an example of a class of patched vulnerabilities that continue to show up in HP's research. Java represented 48 percent of all Web or email exploit samples in 2014, HP's study found.
Brian Gorenc, manager of vulnerability research for HP Security reported the same basic finding at the 2014 Black Hat conference in Las Vegas. At the time, Gorenc reported that the majority of Java malware attacks were leveraging old vulnerabilities because many organizations aren't reliably implementing all of the released patches.
In contrast, HP's report also noted that Oracle has made significant gains in 2014 in securing Java. The report noted that, in 2014, Oracle introduced click-to-play as a security measure, making the execution of unsigned Java code more difficult. Oracle's click-to-play security measure had such a positive impact on Java security that HP stated that it did not encounter any serious Java zero-day flaws in 2014.
Timpe concluded in his interview with eWEEK that he doesn’t understand why the problems with existing software flaws continue because the issues cited in this report are not new and the tech industry knows how to fix them.