In last year’s Coalfire Penetration Risk Report, large enterprises, despite bigger budgets and resources, lagged mid-sized business in protecting their assets and mitigating security risks.
This year’s findings, however, tell a different story. The updated data show that it’s mid-sized businesses that now carry the highest risk factors, based on “hundreds of engagements performed by the company's adversarial simulation and penetration testing team.” For mid-sized businesses, the culprit is increased risk from migrating to cloud computing, the cybersecurity risk management consultant said. By contrast, large enterprises have become the most secure, partly due to access to "more big tech providers."
"Last year, the data surprised us by showing that mid-sized businesses hit the cybersecurity 'sweet spot' despite the higher security budgets and resources of larger enterprises," said Mike Weber, Coalfire vice president. "In 2019, large enterprises are filling the gaps faster, and mid-sized businesses find themselves scrambling to keep up."
In this year’s study, Coalfire separated cloud service providers from enterprises to illuminate the risks in each environment.
Here are the report’s key findings:
- Out-of-date software and non-secure protocols were the top vulnerabilities in the enterprise space. For cloud providers, security misconfiguration was the highest risk factor.
- The top five application vulnerabilities for 2019 included cross-site scripting, injection, security misconfiguration, password flaws, and sensitive data exposure. A few of the top vulnerabilities from 2018 -- broken authentication/session management, using known vulnerable components, and missing function-level access control -- were not of significance this year.
- Phishing continues to be a serious issue – in 71% of Coalfire's testing engagements, organizations experienced at least one full compromise of credentials. In 20% of the tests, organizations saw approximately half of their targeted employees give up their credentials.
- The financial services sector most is the most susceptible to cyber crime. The technology/cloud, retail and healthcare verticals maintained security postures similar to 2018.
- Compared to the wide variables between verticals last year, more vertical markets have become similar in vulnerability rates, and almost all show fewer high-risk findings. The shift toward cloud solutions in verticals, which reduces the need to secure and maintain on-premise IT assets, is the reason.
- Compliance struggles, privacy management, increasing third-party vendor assessments and ongoing payment card industry challenges combined to produce a 17% external risk increase over last year. In education, the data disproved the perception that educational institutions lack diligence in hardening systems.
"Though application vulnerabilities are declining, threats from out-of-date software and security misconfiguration are on the rise, and everyone should pay closer attention to the basic, routine security tasks that are clearly still being neglected," said Weber. Despite more resources and skilled pros to handle cloud-specific vulnerabilities, “internal network security remains soft,” he said. It’s mid-sized businesses that are “most vulnerable in this regard."
Coalfire’s advice: Organizations struggle to get configurations right as they leverage multiple cloud infrastructure providers and hybrid environments. "When building applications in the cloud, program managers should evaluate all components and leverage cloud services into their threat models to create effective, layered security solutions," Weber said.