Vulnerabilities in web applications at the heart of 73% of breaches, Kaspersky finds

Pen test analysis finds 43% of companies have low or extremely low levels of security

The vast majority of successful breaches into corporate networks last year were caused by vulnerable web applications, according to a Kaspersky Lab analysis of penetration tests.

Against a backdrop of increasingly-common remote and cloud-based working habits, experts found that 73% of successful beaches exploited weaknesses in web applications, with 43% of organisations assessed having 'low or extremely low' protection against external threats.

Kaspersky's latest 'Security Assessment of Corporate Information Systems' comprised an examination of the security configurations of organisations across various industries, and in the public sector, finding that only 14% had above 'average levels' of security.

Using its own metrics and methodology, the cyber security firm said 29% of companies examined had 'extremely low' levels of security, with a further 29% scoring 'average' levels. No organisation assessed achieved 'high' levels of security.

Advertisement - Article continues below
Advertisement - Article continues below

The information security landscape, meanwhile, is even worse, with a 'low or extremely low' level of protection identified for 93% of all organisations. In 86% of cases Kaspersky's experts were able to gain the highest internal network privileges in an organisation, and for 42% of companies only two attack steps were needed to achieve this.

"Our research has shown that vulnerable web applications can provide gateways into corporate networks," said Kaspersky Lab's principal security researcher David Emm.

"There are many security measures that can be implemented to guard against this nature of attack - half of these breaches could have been prevented by restricting access to management interfaces.

"We encourage IT security specialists to identify the vulnerabilities their organisations have and focus on strengthening them."

Kaspersky's analysis showed "unambiguously" that sufficient attention is not being paid to the security of web applications.

Damningly, all web applications used by government organisations had high-risk vulnerabilities, with an average of 2.6 high-risk vulnerabilities per application. E-commerce web applications, on the other hand, contained the fewest high-risk weaknesses.

Advertisement - Article continues below

Arbitrary file upload proved the most widespread vulnerability exploited to gain access to a network, while other vulnerabilities, such as SQL injection, arbitrary file reading, and XML external entity, were used to steal sensitive information such as passwords.

"To improve their security stances, companies are recommended to pay special attention to web application security, timely updates of vulnerable software, password protection and firewalling rules," the research paper concluded.

"The task of completely preventing compromising of information resources becomes extremely difficult in large networks, or even impossible when attacks are launched using 0-day vulnerabilities.

"Therefore, it is important to ensure that information security incidents are detected as early as possible."

Advertisement - Article continues below

The need for organisations to bolster their cyber security infrastructure and guard against both external and internal breaches has arguably never been greater.

Companies must be especially vigilant in light of the newly-introduced General Data Protection Regulation (GDPR), which carries a fine of up to 20 million or 4% of global annual turnover for the most serious breaches.

Advertisement - Article continues below

In light of the growing threat of cyber attack and malicious infiltration organisations of all sizes and in all industries now face, Gartner recently revealed that global security spending is expected to exceed $124 billion by the end of 2019.

Whether this level of expenditure is high enough or is being committed into the right areas, remains to be seen - but Kaspersky's analysis certainly painted a bleak picture for the global cyber security landscape in 2017, at the very least.

Featured Resources

Digital Risk Report 2020

A global view into the impact of digital transformation on risk and security management

Download now

6 ways your business could suffer if you don’t backup Office 365

Office 365 makes it easy to lose valuable data regularly, unpredictably, unintentionally, and for good

Download now

Get the best out of your workforce

7 steps to unleashing their true potential with robotic process automation

Download now

8 digital best practices for IT professionals

Don't leave anything to chance when going digital

Download now


internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

operating systems

How to fix a stuck Windows 10 update

12 Feb 2020

The top ten password-cracking techniques used by hackers

10 Feb 2020
Policy & legislation

What is the Computer Misuse Act?

17 Feb 2020
Domain Name System (DNS)

Firefox activates DNS over HTTPS for US users by default

26 Feb 2020