Story image

Study finds it’s still the basics causing critical threats for businesses

30 Aug 2017

In today’s modern age, companies are inundated with cybersecurity threats every day – but which are the most critical?

New findings recently published by Context Information Security reveal that more than 60 percent of high and critical vulnerabilities in web applications are still accounted to cross site scripting, weak authentication and TLS (transport layer security).

The research was based on 14,000 vulnerabilities identified and qualified from around 1,300 manually guided penetration tests.

Around 1,700 of these (thirteen percent) were rated as high or critical impact and likely to result in unauthorised access or a compromise of user data or application functionality that could lead to financial or legal impact.

Assurance regional lead for Scotland at Context Information Security, Andrew Scott says it’s time for businesses to wise up to these ‘old’ threats.

“These threats have been around for years, but it appears that the message is still not getting through,” says Andrew Scott, Assurance Regional Lead - Scotland at Context Information Security.

“If an organisation were to focus on educating developers and their supply chain to prevent cross site scripting and authentication problems, while creating robust deployment processes for TLS, a large proportion of these problems could be avoided.”

In addition to these findings, the study also delved into the ratio of critical or high findings to total findings for each category.

Context information Security uses the example of session management problems, of which more than 400 were identified but only 2 percent of these led to a direct route to compromise.

However, cross site scripting was found around 300 times but a whopping half of them were critical or high, which shows that interventions around addressing these areas at source can have a greater impact on the risk profile of an application or organisation. 

What is concerning is the largest number of high or critical findings were around weak authentication – covering everything from password strength, storage and reset processes through to how cookies are created and handled.

Context Information Security also fund close to 1,000 issues related to the communication channel, suggesting that use of TLS and its additional security controls are still not well understood or applied.

“TLS issues often need addressing at the infrastructure layer and may not be under the control of developers,” says Scott.

“Much like cross site scripting in the application space however, a very formulaic approach can be developed for each environment and can help address these problems.”

Cloud application attacks in Q1 up by 65% - Proofpoint
Proofpoint found that the education sector was the most targeted of both brute-force and sophisticated phishing attempts.
Singapore firm to launch borderless open data sharing platform
Singapore-based Ocean Protocol, a decentralised data exchange that promotes data sharing, has revealed details of what could be the kickstart to a global and borderless data economy.
Huawei picks up accolades for software-defined camera ecosystem
"The company's software defined capabilities enable it to future-proof its camera ecosystem and greatly lower the total cost of ownership (TCO), as its single camera system is applicable to a variety of application use cases."
Tech community rocked by deaths of Atta Elayyan and Syed Jahandad Ali
Both men were among the 50 killed in the shooting in Christchurch last Friday when a gunman opened fire at two mosques.
NZ ISPs block internet footage of Christchurch shootings
2degrees, Spark, Vodafone and Vocus are now blocking any website that shows footage of the mosque shootings.
Barracuda expands MSP security offerings with RMM acquisition
Managed Workplace delivers an RMM platform with security tools and services, such as site security assessments, Office 365 account management, and integrated third-party antivirus.
Flashpoint: APAC companies must factor geopolitics in cyber strategies
The diverse geopolitical and economic interests of the states in the region play a significant role in driving and shaping cyber threat activity against entities operating in APAC.
Expert offers password tips to aid a stress-free sleep
For many cybersecurity professionals, the worries of the day often crawl into night-time routines - LogMeIn says better password practices can help.