Vulnerabilities in web applications at the heart of 73% of breaches, Kaspersky finds

A padlock on a motherboard surrounded by keys

The vast majority of successful breaches into corporate networks last year were caused by vulnerable web applications, according to a Kaspersky Lab analysis of penetration tests.

Against a backdrop of increasingly-common remote and cloud-based working habits, experts found that 73% of successful beaches exploited weaknesses in web applications, with 43% of organisations assessed having 'low or extremely low' protection against external threats.

Kaspersky's latest 'Security Assessment of Corporate Information Systems' comprised an examination of the security configurations of organisations across various industries, and in the public sector, finding that only 14% had above 'average levels' of security.

Using its own metrics and methodology, the cyber security firm said 29% of companies examined had 'extremely low' levels of security, with a further 29% scoring 'average' levels. No organisation assessed achieved 'high' levels of security.

The information security landscape, meanwhile, is even worse, with a 'low or extremely low' level of protection identified for 93% of all organisations. In 86% of cases Kaspersky's experts were able to gain the highest internal network privileges in an organisation, and for 42% of companies only two attack steps were needed to achieve this.

"Our research has shown that vulnerable web applications can provide gateways into corporate networks," said Kaspersky Lab's principal security researcher David Emm.

"There are many security measures that can be implemented to guard against this nature of attack - half of these breaches could have been prevented by restricting access to management interfaces.

"We encourage IT security specialists to identify the vulnerabilities their organisations have and focus on strengthening them."

Kaspersky's analysis showed "unambiguously" that sufficient attention is not being paid to the security of web applications.

Damningly, all web applications used by government organisations had high-risk vulnerabilities, with an average of 2.6 high-risk vulnerabilities per application. E-commerce web applications, on the other hand, contained the fewest high-risk weaknesses.

Arbitrary file upload proved the most widespread vulnerability exploited to gain access to a network, while other vulnerabilities, such as SQL injection, arbitrary file reading, and XML external entity, were used to steal sensitive information such as passwords.

"To improve their security stances, companies are recommended to pay special attention to web application security, timely updates of vulnerable software, password protection and firewalling rules," the research paper concluded.

"The task of completely preventing compromising of information resources becomes extremely difficult in large networks, or even impossible when attacks are launched using 0-day vulnerabilities.

"Therefore, it is important to ensure that information security incidents are detected as early as possible."

The need for organisations to bolster their cyber security infrastructure and guard against both external and internal breaches has arguably never been greater.

Companies must be especially vigilant in light of the newly-introduced General Data Protection Regulation (GDPR), which carries a fine of up to 20 million or 4% of global annual turnover for the most serious breaches.

In light of the growing threat of cyber attack and malicious infiltration organisations of all sizes and in all industries now face, Gartner recently revealed that global security spending is expected to exceed $124 billion by the end of 2019.

Whether this level of expenditure is high enough or is being committed into the right areas, remains to be seen - but Kaspersky's analysis certainly painted a bleak picture for the global cyber security landscape in 2017, at the very least.

Keumars Afifi-Sabet
Features Editor

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.