Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Web Application Development

8/22/2018
09:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

Vulnerable Web Apps Top Threat to Enterprises

A report by Kaspersky researchers found that 73% of successful network perimeter breaches in 2017 were committed via web apps, while inside threats continue to put companies at risk.

Web applications were by far the top cause of successful breaches of corporate networks last year, according to researchers at Kaspersky Lab.

According to the cybersecurity vendor's report, Security Assessment of Corporate Information Systems 2017, issued this month, 73% of successful perimeter breaches in 2017 were done through vulnerable web applications. In addition, while companies seem to understand the need to protect their networks against external threats, they are much more lax when the threat comes from within, according to Sergey Okhotin, senior security analyst of security services analysis at Kaspersky and one of the study's authors.

The report was based on an analysis of penetration tests conducted on corporate networks.

The overall level of protection against external attackers that was deemed low or extremely low for 43% of all companies, the researchers wrote in a blog post. However, the protection against internal threats rated at low or extremely low was 93%.

"The overall security level against external intruders is higher than against internal intruders," Okhotin told Security Now in an email. "Companies pay insufficient attention to the security of the internal network. It means that once the attacker is able to get inside the corporate network via breaching the network perimeter, social engineering attack or other possible vector, there is a high probability that the attacker would be able to obtain total control over the entire network and get access to the business's critical resources."

Insider security threats continue to haunt corporations. A report conducted earlier this year by the Ponemon Institute for startup ObserveIT found that enterprises spend an average of $8.76 million every 12 months to address the damage done from an inside threat, work that usually takes about two months. (See Insider Threats Cost Enterprises More Than $8M Every Year Report.)

The rate of network breaches caused by vulnerable web applications and the low level of defenses against internal threats were part of a larger pattern of security shortfalls that some organizations should be able to shore up fairly easily.

"Though security of web applications is still quite often underestimated, the most common examples include rolling out untested web applications to fit in the tight schedule driven by business needs and blind trust to third-party developers providing applications to be hosted on the organization's perimeter," Okhotin said. "Both of these mentioned cases highlight the urging need to implement and enforce proper SDLC processes both for in-house and third-party application development."

Another example was related to vulnerability that was widely exploited the high-profile WannaCry and NotPetya/ExPetr ransomware attacks as well as individual targeted attacks, according to the researchers. The vulnerability, MS17-010, was detected in 75% of companies that conducted internal pen testing after information about the vulnerability was published. Some organizations didn't update their Windows systems for seven to eight months after Microsoft released the patch for the vulnerability. (See WannaCry: How the Notorious Worm Changed Ransomware.)

"Additionally, 78% of these companies were tested more than three months after the update had been released," Okhotin said. "This was unexpected because information about this vulnerability was widely covered by mass media. The cited numbers emphasize the fact that a timely and robust patch management process is still to be achieved in a significant portion of large enterprises."

That combined with the fact that obsolete software was detected on the network perimeter of 86% of analyzed companies and in the internal networks of 80% of organizations is an indication of poor implementation of the basic IT security processes, which is putting many enterprises at risk of security breaches, the researchers said.

Along with web applications, publicly available management interfaces with weak or default credentials were another common avenue for penetrating the network perimeter, according to the report. Kaspersky experts were able to gain the highest privileges in the entire IT infrastructure in 29% of external pen test projects.

Not every company was lacking in their security processes, according to Okhotin. The companies tested had a range of cybersecurity maturity levels, including some with well-established security processes like monitoring and regular security assessment. With these companies, even if there was a successful attack, their security teams were quick to detect it and prevent further development.

"The report describes the most common vulnerabilities found in both types of organizations," he said. "Some organizations have implemented the majority of the security measures mentioned in the report. Although we were still able to get access to the business-critical resources, it took much more effort and time. The result significantly depends on how well the security measures are implemented. The security is determined by the weakest element. It can be a user with a weak, common password, default built-in credentials on one system, or a recently set up web application that hadn't been tested yet."

The recommendations listed by the Kaspersky researchers include closely monitoring firewall rules and web application use, finding and using updates for vulnerable software, implementing password policies to encourage users to create strong passwords, running regular security assessments for IT infrastructures -- including applications -- and putting a strategy in place to detect cyberattacks at an early stage, along with a response plan.

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14318
PUBLISHED: 2020-12-03
A flaw was found in the way samba handled file and directory permissions. An authenticated user could use this flaw to gain access to certain file and directory information which otherwise would be unavailable to the attacker.
CVE-2020-2320
PUBLISHED: 2020-12-03
Jenkins Plugin Installation Manager Tool 2.1.3 and earlier does not verify plugin downloads.
CVE-2020-2321
PUBLISHED: 2020-12-03
A cross-site request forgery (CSRF) vulnerability in Jenkins Shelve Project Plugin 3.0 and earlier allows attackers to shelve, unshelve, or delete a project.
CVE-2020-2322
PUBLISHED: 2020-12-03
Jenkins Chaos Monkey Plugin 0.3 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to generate load and to generate memory leaks.
CVE-2020-2323
PUBLISHED: 2020-12-03
Jenkins Chaos Monkey Plugin 0.4 and earlier does not perform permission checks in an HTTP endpoint, allowing attackers with Overall/Read permission to access the Chaos Monkey page and to see the history of actions.