Vulnerabilities in web applications at the heart of 73% of breaches, Kaspersky finds

Pen test analysis finds 43% of companies have low or extremely low levels of security

The vast majority of successful breaches into corporate networks last year were caused by vulnerable web applications, according to a Kaspersky Lab analysis of penetration tests.

Against a backdrop of increasingly-common remote and cloud-based working habits, experts found that 73% of successful beaches exploited weaknesses in web applications, with 43% of organisations assessed having 'low or extremely low' protection against external threats.

Advertisement - Article continues below

Kaspersky's latest 'Security Assessment of Corporate Information Systems' comprised an examination of the security configurations of organisations across various industries, and in the public sector, finding that only 14% had above 'average levels' of security.

Using its own metrics and methodology, the cyber security firm said 29% of companies examined had 'extremely low' levels of security, with a further 29% scoring 'average' levels. No organisation assessed achieved 'high' levels of security.

The information security landscape, meanwhile, is even worse, with a 'low or extremely low' level of protection identified for 93% of all organisations. In 86% of cases Kaspersky's experts were able to gain the highest internal network privileges in an organisation, and for 42% of companies only two attack steps were needed to achieve this.

"Our research has shown that vulnerable web applications can provide gateways into corporate networks," said Kaspersky Lab's principal security researcher David Emm.

Advertisement - Article continues below

"There are many security measures that can be implemented to guard against this nature of attack - half of these breaches could have been prevented by restricting access to management interfaces.

Advertisement - Article continues below

"We encourage IT security specialists to identify the vulnerabilities their organisations have and focus on strengthening them."

Kaspersky's analysis showed "unambiguously" that sufficient attention is not being paid to the security of web applications.

Damningly, all web applications used by government organisations had high-risk vulnerabilities, with an average of 2.6 high-risk vulnerabilities per application. E-commerce web applications, on the other hand, contained the fewest high-risk weaknesses.

Arbitrary file upload proved the most widespread vulnerability exploited to gain access to a network, while other vulnerabilities, such as SQL injection, arbitrary file reading, and XML external entity, were used to steal sensitive information such as passwords.

"To improve their security stances, companies are recommended to pay special attention to web application security, timely updates of vulnerable software, password protection and firewalling rules," the research paper concluded.

"The task of completely preventing compromising of information resources becomes extremely difficult in large networks, or even impossible when attacks are launched using 0-day vulnerabilities.

Advertisement - Article continues below

"Therefore, it is important to ensure that information security incidents are detected as early as possible."

The need for organisations to bolster their cyber security infrastructure and guard against both external and internal breaches has arguably never been greater.

Companies must be especially vigilant in light of the newly-introduced General Data Protection Regulation (GDPR), which carries a fine of up to 20 million or 4% of global annual turnover for the most serious breaches.

In light of the growing threat of cyber attack and malicious infiltration organisations of all sizes and in all industries now face, Gartner recently revealed that global security spending is expected to exceed $124 billion by the end of 2019.

Whether this level of expenditure is high enough or is being committed into the right areas, remains to be seen - but Kaspersky's analysis certainly painted a bleak picture for the global cyber security landscape in 2017, at the very least.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now



University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular

Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020

How to find RAM speed, size and type

24 Jun 2020

The road to recovery

30 Jun 2020