Top vulnerability trends and how to fix them

20.Feb.2020
Srinivasan Jayaraman, Vulnerability Research Manager at Outpost24,
Over a 12-month period from Nov 2018 to 2019, we’ve analyzed vulnerability data collected from over 2 million assets, across 10 markets and 9 sectors to discover the top vulnerability trends. Within that we reported over 150 million findings from the 375,379 unique scanned assets, the message is clear – every business and industry across the globe are affected by security vulnerabilities.
vulnerability trends

In this blog our Vulnerability Research team have summarized the reported findings from Outpost24’s full stack security assessment solution and broken down by region and industry based on CVSS criticality to identify the key trends on the most common weaknesses and vulnerabilities affecting organizations and offering expert guidance on how best to tackle them.

Top vulnerability trends: UK, Netherlands and Brazil are most at risk

We looked at different parameters across our vulnerability data including OWASP Top 10 and CWE weakness information for this analysis. The data insights we’ve collected for the levels of risk posture across regions is an interesting trend and we found 50% in The Netherlands and 40% in the UK are of high-risk vulnerabilities. This high volume could be due to factors including the triage process for solving vulnerabilities and the data provides a benchmark for how each region performs in comparison to others. There is a large share of medium vulnerabilities with Japan having the lowest % of high risk vulnerabilities. Poor security hygiene and digital maturity could be a contributing factor to the regional difference.

top vulnerability trends figure 1

 

High risk vulnerabilities a growing threat for manufacturing

Looking at the volumes of risk from low to high across industries, the majority have approximately 10%-20% high risks however for manufacturing this rises to 50% of vulnerabilities at a critical risk level, which shows that this industry is missing key vulnerability management processes and means the time to patch is longer.

top vulnerability trends figure 2

 

Hackers have the advantage when it comes to average time to patch

Our data reveals the average time to patch is 105 days, whilst the average time it takes between a vulnerability being identified and exploited has dropped from 45 days to 15 days over the past decade. This leaves a window of almost 3 months for hackers to exploit vulnerabilities when they are left unpatched.

top vulnerability trends figure 3

 

When we break it down by industry it’s clear that Energy & Agriculture and Retail/Wholesale are lagging and putting themselves at a greater risk with 182 days and 135 days respectively. The issue surrounding time for patch for Retail (135 days) in particular, is the growing appetite for hackers to target POS and external facing ecommerce stores containing data for thousands of customers including their personal and credit card details – as seen in the Macy’s, Target Store and eBay attacks.

 

Bringing down the average time to patch to below 15 days is the ideal solution however the sheer volume of vulnerabilities makes it difficult for most organizations to do so, hence we recommend taking a risk-based approach utilizing threat intelligence and risk indicators to predict the likelihood of exploitability and prioritize remediation for vulnerabilities with the biggest risk to save security teams’ time trawling through all the vulnerability information.

 

Security misconfigurations the biggest offender across the board

With cyber security attacks and data breaches on the up, the need for complete vulnerability risk management and shifting left is critical for businesses looking to avoid costly fines and operational downtime. We found 82% of vulnerabilities were due to ‘misconfiguration’ such as firewall mismanagement and password administration. Hackers are always on the lookout for the low hanging fruit such as default passwords ‘admin/admin’ to be able to get in. Here are the most prolific CWEs reported from our scans for networks:

  • CWE–16: Misconfiguration is the most common weakness we found with 82% of cases relating to misconfiguration of software. CWE 16 weaknesses can be introduced due to weak/ default passwords, deprecated protocols, open public database instance or the file system is exposed and not encrypted. This highlights the importance of having fundamental security configurations in place to cover your networks, applications and cloud. If this is ignored by security teams you leave yourself open to hackers and its critical to prioritize checking for misconfiguration and implementing continuous monitoring.
  • CWE–311 and CWE-523: Missing encryption of sensitive data and unprotected transport of credentials contributes to 5% of weakness from our findings in CWE. This is very important to address as regulators are hitting businesses hard regarding GDPR and CCPA as business are heavily scrutinized for how they store and transport their sensitive data. We recommend customers to maintain data sovereignty at all times by maintaining good security practices across their entire business and infrastructure including cloud. It’s interesting to see that we are still seeing data related weaknesses in these vulnerability findings.
  • CWE–79: Improper input validation can lead to hackers performing SQL injection and cross site scripting attacks so depending on the type of input this could lead to a hacker being able to successfully attack your database and cause downtime to your business which could lead to loss in revenue and customers. Implementing an application security testing solution is recommended to give you full coverage of vulnerabilities across your applications including poor code hygiene which can be addressed early on in the SDLC before they become an open door to hackers.
  • CWE–345: This contributed to 4% of vulnerabilities in our data and relates to authentication bypass and not having sufficient verification for data authenticity. The types of attacks on CWE – 345 can include cache poisoning and this can also lead to secondary attacks as a result of loose security architecture for your environment.
  • CWE–200 and CWE–754: These vulnerabilities relate to information exposure with CWE - 200 being very common in our data findings. Data exposure and improper checks are leading to organizations being unable to prove necessary checking to remain compliant to regulators and customers.

In a similar storyline, security misconfiguration was reported in a whopping 86% of web applications assessed against OWASP Top 10.

  • A6: Security misconfiguration was the main weakness we found (86%). An example of this is the Capital One hack where security misconfiguration within an Amazon S3 bucket lead to a catastrophic data breach. It’s becoming very common practice for hackers to spot and exploit loose permission in servers and agile DevOps cycles. This is where an automated scanner can help test apps against A6 vulnerabilities and continuously checks for common misconfiguration issues including default passwords and improper access controls.
  • A7: XSS Attacks has grown since the infancy of the Internet and evolved into malicious attacks like Magecart affecting some of the world’s biggest brands including British Airways, Fortnite and MySpace, and this is often an area a hacker will first look to exploit as a means for attack.
  • A3: Sensitive information in clear text is prominent where a hacker can spot failures to protect data via encryption. Commonly this information is very valuable to hackers as it includes personal information which can be monetized and carries heavy fines for organization who do not comply (4% of annual revenue with GDPR) so it’s very important all data is encrypted and locked.
  • A2: Broken authentication can happen when session IDs are exposed in the URL or user authentication credentials are not protected over unencrypted connections. It gives hackers an opportunity to gain user privileges and unauthorized user account just like what happened to Equifax.

 

Conclusion

These findings show the significant risks businesses are exposed to and could leave you open to a dangerous cyberattack. CWE 16 and OWASP Top 10 A6 are the most common vulnerabilities (82% and 86% coverage), demonstrating misconfiguration is a common problem across enterprise IT systems. Hackers aren’t fussy which industry or region you are in, they’re looking for these common types of weakness to launch successful attacks. Outpost24 can consult on the right tools for your business to protect your data and maintain a good level of security hygiene.

Why Outpost24?

We don’t think its fair organizations are targeted by cybercriminals and our goal is to provide full vulnerability management solutions across the full technology stack to help you to reduce your risk exposure.

Our trusted solutions are easy to deploy using our Rest API and can deliver immediate results to help you prioritize remediation efforts more effectively and meet regulatory compliance from day one

 

Book a free demo

Looking for anything in particular?

Type your search word here