Website doors are still wide open to hackersThursday, August 10, 2017
Many company websites still contain critical vulnerabilities that criminals can use to carry out a variety of attacks, say researchers.
Researchers have warned that in spite of widespread publicity and best practice guidance, enterprises are still not securing their corporate website assets from even the best-known and most critical vulnerabilities.
In a recent study it was discovered that more than half of corporate websites contain critical vulnerabilities that attackers could use to perform denial of service, steal personal data, and cause other severe consequences.
Security flaws were found in all the applications analysed by Positive Technologies, with 58 per cent having at least one high-severity vulnerability. At the same time, the total number of websites with high-severity vulnerabilities decreased by 12 per cent compared with 2015. High-risk vulnerabilities were found in 74 per cent of applications belonging to telecommunications companies, the highest rate of any industry. But when focussing on possible consequences, the worst security situation was found in manufacturing (with 43 per cent of websites rated as "extremely poor") and perhaps most concerningly of all, e-commerce (34 per cent).
Hackers can take advantage of insecure web applications as a way to infect other targets, including users, with 94 per cent of those applications making such attacks possible by using 5 of the 10 most common application vulnerabilities. Researchers were able to obtain personal data from 20 per cent of web applications that process such data, including bank and government websites.
The results corroborate testing by High-Tech Bridge’s team of security experts, who found that a concerning 83 per cent of mobile apps within banking, financial and retail sectors have a mobile backend (web services and APIs) that is vulnerable to at least one high-risk security vulnerability. Most popular vulnerabilities are insufficient, or missing, authorization when accessing sensitive data or data belonging to other users. However, the High-Tech Bridge team point out that more than 95 per cent of vulnerabilities residing in mobile application code are not easily exploitable and do not pose a major risk because they require another malicious application already installed on a device, and/or an attacker in the same network segment as the victim, and thus are hardly exploitable in the wild. The most popular flaw in mobile applications within banking, financial and retail sectors is insecure, or cleartext storage of sensitive or authentication data on a mobile device.
This year's Verizon Data Breach Investigations Report found that, when it comes to different types of attack, Web Application Attacks remain the most common, due to their high likelihood of success.
Ilia Kolochenko, CEO of High-Tech Bridge commented on web application security situation: “I think the biggest problem for enterprise here is inappropriate risk assessment, management and mitigation. Many organizations significantly underestimate the importance of web application security and still believe that web applications are "just a front-end". However, as DBIR clearly states, the main attack vector is insecure applications.
Another factor here is outdated or missing web application inventory - quite a lot of web applications are still running in production after the end of their life-cycle, opening doors to cyber gangs. Many of the largest data breaches and targeted attacks in the past years were conducted via abandoned, forgotten or flawed web applications.
“Finally, security of web application is a continuous process consisting of numerous synchronized solutions. Today, a WAF is very far from being enough to protect your web infrastructure. I'd suggest exploring the benefits of a DevSecOps model to assure a good level of your web security.”
Interestingly, the Positive Technologies researchers found that production (in-use) web applications are often more vulnerable than those still in the development phase. In fact, high-severity vulnerabilities were found on 50 per cent of testbeds but on 55 per cent of production systems. Or in other words, Devs 1, Production 0.