Vulnerabilities in web applications at the heart of 73% of breaches, Kaspersky finds

Pen test analysis finds 43% of companies have low or extremely low levels of security

The vast majority of successful breaches into corporate networks last year were caused by vulnerable web applications, according to a Kaspersky Lab analysis of penetration tests.

Against a backdrop of increasingly-common remote and cloud-based working habits, experts found that 73% of successful beaches exploited weaknesses in web applications, with 43% of organisations assessed having 'low or extremely low' protection against external threats.

Kaspersky's latest 'Security Assessment of Corporate Information Systems' comprised an examination of the security configurations of organisations across various industries, and in the public sector, finding that only 14% had above 'average levels' of security.

Using its own metrics and methodology, the cyber security firm said 29% of companies examined had 'extremely low' levels of security, with a further 29% scoring 'average' levels. No organisation assessed achieved 'high' levels of security.

Advertisement
Advertisement - Article continues below

The information security landscape, meanwhile, is even worse, with a 'low or extremely low' level of protection identified for 93% of all organisations. In 86% of cases Kaspersky's experts were able to gain the highest internal network privileges in an organisation, and for 42% of companies only two attack steps were needed to achieve this.

"Our research has shown that vulnerable web applications can provide gateways into corporate networks," said Kaspersky Lab's principal security researcher David Emm.

"There are many security measures that can be implemented to guard against this nature of attack - half of these breaches could have been prevented by restricting access to management interfaces.

"We encourage IT security specialists to identify the vulnerabilities their organisations have and focus on strengthening them."

Kaspersky's analysis showed "unambiguously" that sufficient attention is not being paid to the security of web applications.

Damningly, all web applications used by government organisations had high-risk vulnerabilities, with an average of 2.6 high-risk vulnerabilities per application. E-commerce web applications, on the other hand, contained the fewest high-risk weaknesses.

Arbitrary file upload proved the most widespread vulnerability exploited to gain access to a network, while other vulnerabilities, such as SQL injection, arbitrary file reading, and XML external entity, were used to steal sensitive information such as passwords.

"To improve their security stances, companies are recommended to pay special attention to web application security, timely updates of vulnerable software, password protection and firewalling rules," the research paper concluded.

"The task of completely preventing compromising of information resources becomes extremely difficult in large networks, or even impossible when attacks are launched using 0-day vulnerabilities.

"Therefore, it is important to ensure that information security incidents are detected as early as possible."

Advertisement
Advertisement - Article continues below

The need for organisations to bolster their cyber security infrastructure and guard against both external and internal breaches has arguably never been greater.

Companies must be especially vigilant in light of the newly-introduced General Data Protection Regulation (GDPR), which carries a fine of up to 20 million or 4% of global annual turnover for the most serious breaches.

In light of the growing threat of cyber attack and malicious infiltration organisations of all sizes and in all industries now face, Gartner recently revealed that global security spending is expected to exceed $124 billion by the end of 2019.

Whether this level of expenditure is high enough or is being committed into the right areas, remains to be seen - but Kaspersky's analysis certainly painted a bleak picture for the global cyber security landscape in 2017, at the very least.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/operating-systems/microsoft-windows/354297/this-exploit-could-give-users-free-windows-7-updates
Microsoft Windows

This exploit could give users free Windows 7 updates beyond 2020

9 Dec 2019
Visit/security/identity-and-access-management-iam/354289/44-million-microsoft-customers-found-using
identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019