CyCognito, an external attack surface management specialist, has uncovered what it called a “staggering” number of vulnerable public cloud, mobile and web applications exposing sensitive information.
The discoveries, which also include unsecured APIs and personal identifiable information (PII), were recorded from the company’s newly released, semi-annual State of External Exposure Management study. The report is based on analysis of 3.5 million assets across CyCognito’s enterprise customer base, including a number of Fortune 500 companies.
Nearly three-quarters of cloud and web applications with PII, including social security numbers and banking information, are vulnerable to exploits, the data showed.
Key findings include:
- 74% of assets with PII are vulnerable to at least one known major exploit, and one in 10 have at least one easily exploitable issue.
- 70% of web applications have severe security gaps, like lacking WAF protection or an encrypted connection like HTTPS, while 25% of all web applications (web apps) lacked both.
- The typical global enterprise has over 12 thousand web apps, which include APIs, SaaS applications, servers, and databases, among others. At least 30% of these web apps — more than 3,000 assets — have at least one exploitable or high-risk vulnerability. Half of these potentially vulnerable web apps are hosted in the cloud.
- 98% of web apps are potentially GDPR non-compliant due to lack of opportunity for users to opt out of cookies.
Rob Gurzeev, CyCognito chief executive and co-founder, commented on the study’s findings:
"The latest MOVEit exploit is a cautionary tale for all CISOs that attackers remain many steps ahead of web application and cloud security. The volume of exposed PII stemming from this disastrous breach supports our findings and underscores the critical need for full-scope visibility of all assets across an organization's attack surface. Businesses can no longer afford to neglect their digital shadow and the many unknown and unmanaged risks within their systems."