Vulnerable web apps: An organisation’s weak point?

According to annual security tests conducted by Kaspersky Lab, 73% of successful perimeter breaches were achieved via vulnerable web applications. The most dangerous attacks are specifically planned in relation to the vulnerabilities of a particular organisation. And each organisation’s IT infrastructure is unique.

Kaspersky’s report found that the web applications of government bodies were the most insecure, with high-risk vulnerabilities found in every application. By contrast, e-commerce applications are better protected from possible external interference.

>Read more on The common security vulnerabilities of mobile devices

“Our research has shown that vulnerable web applications can provide gateways into corporate networks. There are many security measures that can be implemented to guard against this nature of attack – half of these breaches could have been prevented by restricting access to management interfaces. We encourage IT security specialists to identify the vulnerabilities their organisations have and focus on strengthening them,” said David Emm, principal security researcher at Kaspersky Lab.

Low levels of protection

The results of the 2017 research revealed that the level of protection against external cyber attacks was low or extremely low, for 43% of analysed companies. Based on the results of the survey, it is clear the issue of security should be a top business consideration for the boardroom, and a top technology consideration for CTOs and CISOs.

>Read more on the CTO vs. CISO: Who should have ultimate responsibility for cyber security

In 29% of external penetration test projects, Kaspersky Lab experts successfully gained the highest privileges in the entire IT infrastructure, including administrative-level access to the most important business systems, servers, network equipment and employee workstations.

Internal networks are more vulnerable

The information security situation in companies’ internal networks was even worse, according to the report. The level of protection against internal attackers was identified as low or extremely low for 93% of all analysed companies.

The highest privileges in the internal network were obtained in 86% of the analysed companies; and for 42% of them it took only two attack steps to achieve this. Breaching the highest privileges allows the attackers to take complete control over the whole network, including business critical systems.

Update your software!

The impact of the WannaCry ransomware attack on the NHS, and other organisations across the world, was caused – in part – by obsolete software. Even when software patches are released, companies are slow to update their current systems.

>Read more on Does software quality equal software security?

In the report, this obsolete software was identified on the network perimeter of 86% of the analysed companies, and in the internal networks of 80% of companies. This suggests a poor implementation of basic IT security processes, which leaves the enterprise as an easy targets for attackers.

Security tips

In order to mitigate the threats posed by cyber attackers, and enhance internal cyber security practice, CTOs should follow these guidelines:

• Pay special attention to web application security, timely updates of vulnerable software, password protection and firewall rules.

• Run regular security assessments for IT-infrastructure (including applications).

• Ensure that information security incidents are detected as early as possible. Timely detection of threat actor activities at the early stages of an attack, and a prompt response, may help prevent or substantially mitigate the damage caused.

• Mature organisations where well-established processes are in place for security assessment, vulnerability management and detection of information security incidents, may want to consider running Red Teaming-type tests. Such tests help check how well infrastructures are protected against highly skilled attackers operating with maximum stealth, as well as help train the information security service to identify attacks and react to them in real-world conditions.

Avatar photo

Nick Ismail

Nick Ismail is the editor for Information Age. He has a particular interest in smart technologies, AI and cyber security.