Press Release: April 19, 2012

HP Research Identifies New Era of Security Risk, Shifting Vulnerability Landscape

Cybersecurity report helps enterprises prioritize and reduce risks

PALO ALTO, Calif. -- HP today published the 2011 Top Cyber Security Risks Report, which identifies the growing sophistication and severity of security attacks and the resulting risks.

The report provides the information to help enterprises and governments understand the threat landscape and assess their security posture.

The report also indicates that hacker motivations are continuously changing due to the growing presence of “hacktivist” groups, such as Anonymous and LulzSec, which perform highly organized attacks in retaliation for perceived wrongdoing. In addition to changing motivation, advances in attack techniques have led to the increased “success” rate of security breaches. As a result, enterprises and governments are faced with new challenges in assessing and remediating risks.

Historically, the number of vulnerabilities disclosed in a year indicated the current state of the security industry and helped organizations prioritize their defenses. According to the report, pure vulnerability volume is no longer a valid indicator of the security risk landscape. While newly reported vulnerabilities in commercial applications continue to decline, a large number of vulnerabilities are unaccounted for, and are therefore undisclosed to the broader security industry.
“To protect organizations against a wide range of attacks, HP has established a global network of security researchers who look for vulnerabilities that were not publicly disclosed,” said Michael Callahan, vice president, Worldwide Product and Solution Marketing, Enterprise Security Products, HP. “The intelligence gained from this research group is built into HP enterprise security solutions in an effort to proactively reduce risk.” 

Shifting vulnerability landscape
Disclosure of new vulnerabilities in commercial applications has slowly declined since 2006, dropping nearly 20 percent in 2011 from the previous year. However, data from the report demonstrates that this decline does not signify decreased risk.

This decline is due to several factors, including the advent of a private market for sharing vulnerabilities. In addition, the proliferation of custom-built web applications, such as retail web sites, has created a market for unique vulnerability exploits that require advanced expertise to locate and address.

Key findings from the report include:

  • Although vulnerability reports have declined, attacks on web applications have more than doubled as measured by HP TippingPoint Intrusion Prevention Systems (IPS) in the second half of 2011.
  • Nearly 24 percent of new vulnerabilities disclosed in commercial applications in 2011 have a severity rating of 8 to 10. These vulnerabilities can result in a remote code execution, the most dangerous type of attack.
  • Roughly 36 percent of all vulnerabilities are in commercial web applications.
  • Approximately 86 percent of web applications are vulnerable to an injection attack, which is when hackers access internal databases through a website.
  • Due to a high success rate, web exploit toolkits continued to be popular in 2011. These “packaged” attack frameworks are traded or sold online, enabling hackers to access enterprise IT systems and steal sensitive data. For example, the Blackhole Exploit Kit is used by most cybercriminals, and reached an unusually high infection rate of more than 80 percent in late November 2011.

To combat changing security risks, HP offers the HP Security Intelligence and Risk Management (SIRM) platform, an integrated platform of risk-driven security solutions. HP SIRM delivers visibility across traditional, mobile and cloud environments enabling enterprises to apply adaptive security defenses based on specific organizational risk.

The Cyber Security Risks Report has been published every six months since 2009 by HP DVLabs, a premier research organization for vulnerability analysis and discovery. HP DVLabs analyzed security exploit data from thousands of deployed HP TippingPoint Intrusion Prevention Systems (IPS). The data was then correlated with information from the following sources:

Data from HP DVLabs is also fed into HP Information Security Pulse, a free mobile application that enables IT security professionals to monitor current cyberthreat trends in real time. The application is currently available for the HP webOS ecosystem and will soon be available on iOS and Android mobile tablet devices.

On Wednesday, May 2, at 11 a.m. CT, Jason Jones, engineer, Advanced Security Intelligence, HP DVLabs, and Adam Hils, senior product manager, HP Fortify, will present the Top Security Threats and Trends: 2011 Cyber Security Risks Report webinar.

HP’s premier client event, HP Discover, will take place June 4-7 in Las Vegas.

HP’s annual enterprise security event, HP Protect, will take place Sept. 10-12 in Nashville, Tenn.

This news release contains forward-looking statements that involve risks, uncertainties and assumptions. If such risks or uncertainties materialize or such assumptions prove incorrect, the results of HP and its consolidated subsidiaries could differ materially from those expressed or implied by such forward-looking statements and assumptions. All statements other than statements of historical fact are statements that could be deemed forward-looking statements, including but not limited to statements of the plans, strategies and objectives of management for future operations, including execution of cost reduction programs and restructuring and integration plans; any statements concerning expected development, performance or market share relating to products and services; any statements regarding anticipated operational and financial results; any statements of expectation or belief; and any statements of assumptions underlying any of the foregoing. Risks, uncertainties and assumptions include macroeconomic and geopolitical trends and events; the competitive pressures faced by HP's businesses; the development and transition of new products and services (and the enhancement of existing products and services) to meet customer needs and respond to emerging technological trends; the execution and performance of contracts by HP and its customers, suppliers and partners; the protection of HP's intellectual property assets, including intellectual property licensed from third parties; integration and other risks associated with business combination and investment transactions; the hiring and retention of key employees; expectations and assumptions relating to the execution and timing of cost reduction programs and restructuring and integration plans; the resolution of pending investigations, claims and disputes; and other risks that are described in HP's Quarterly Report on Form 10-Q for the fiscal quarter ended January 31, 2012 and HP's other filings with the Securities and Exchange Commission, including HP's Annual Report on Form 10-K for the fiscal year ended October 31, 2011. HP assumes no obligation and does not intend to update these forward-looking statements.

© 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

About HP

HP Inc. creates technology that makes life better for everyone, everywhere. Through our portfolio of printers, PCs, mobile devices, solutions, and services, we engineer experiences that amaze. More information about HP Inc. is available at