IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Vulnerabilities in web applications at the heart of 73% of breaches, Kaspersky finds

Pen test analysis finds 43% of companies have low or extremely low levels of security

A padlock on a motherboard surrounded by keys

The vast majority of successful breaches into corporate networks last year were caused by vulnerable web applications, according to a Kaspersky Lab analysis of penetration tests.

Against a backdrop of increasingly-common remote and cloud-based working habits, experts found that 73% of successful beaches exploited weaknesses in web applications, with 43% of organisations assessed having 'low or extremely low' protection against external threats.

Kaspersky's latest 'Security Assessment of Corporate Information Systems' comprised an examination of the security configurations of organisations across various industries, and in the public sector, finding that only 14% had above 'average levels' of security.

Using its own metrics and methodology, the cyber security firm said 29% of companies examined had 'extremely low' levels of security, with a further 29% scoring 'average' levels. No organisation assessed achieved 'high' levels of security.

The information security landscape, meanwhile, is even worse, with a 'low or extremely low' level of protection identified for 93% of all organisations. In 86% of cases Kaspersky's experts were able to gain the highest internal network privileges in an organisation, and for 42% of companies only two attack steps were needed to achieve this.

"Our research has shown that vulnerable web applications can provide gateways into corporate networks," said Kaspersky Lab's principal security researcher David Emm.

"There are many security measures that can be implemented to guard against this nature of attack - half of these breaches could have been prevented by restricting access to management interfaces.

"We encourage IT security specialists to identify the vulnerabilities their organisations have and focus on strengthening them."

Kaspersky's analysis showed "unambiguously" that sufficient attention is not being paid to the security of web applications.

Damningly, all web applications used by government organisations had high-risk vulnerabilities, with an average of 2.6 high-risk vulnerabilities per application. E-commerce web applications, on the other hand, contained the fewest high-risk weaknesses.

Arbitrary file upload proved the most widespread vulnerability exploited to gain access to a network, while other vulnerabilities, such as SQL injection, arbitrary file reading, and XML external entity, were used to steal sensitive information such as passwords.

"To improve their security stances, companies are recommended to pay special attention to web application security, timely updates of vulnerable software, password protection and firewalling rules," the research paper concluded.

"The task of completely preventing compromising of information resources becomes extremely difficult in large networks, or even impossible when attacks are launched using 0-day vulnerabilities.

"Therefore, it is important to ensure that information security incidents are detected as early as possible."

The need for organisations to bolster their cyber security infrastructure and guard against both external and internal breaches has arguably never been greater.

Companies must be especially vigilant in light of the newly-introduced General Data Protection Regulation (GDPR), which carries a fine of up to 20 million or 4% of global annual turnover for the most serious breaches.

In light of the growing threat of cyber attack and malicious infiltration organisations of all sizes and in all industries now face, Gartner recently revealed that global security spending is expected to exceed $124 billion by the end of 2019.

Whether this level of expenditure is high enough or is being committed into the right areas, remains to be seen - but Kaspersky's analysis certainly painted a bleak picture for the global cyber security landscape in 2017, at the very least.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Most Popular

Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Microsoft successfully tests emission-free hydrogen fuel cell system for data centres
data centres

Microsoft successfully tests emission-free hydrogen fuel cell system for data centres

29 Jul 2022