A rich resource of data from nearly 350 million security scans of Internet-facing assets is now freely accessible for industry and academic research, thanks to the ImmuniWeb Community Edition.
Through this initiative, the global cybersecurity community, educational institutions, government agencies, and even individual researchers can access historical data on the security of Internet-accessible resources.
To support this, the following dynamic statistics are now publicly available:
Global SSL Security Statistics for SSL/TLS encryption visibility, vulnerabilities, and weaknesses in web applications, APIs, email servers, and network appliances. From Q1 2024 to date, there have been 1,421,781 SSL/TLS events. In Q3 2024, the US has the most instances, with 53.7%, with Germany (7.8%), Ireland (7.2%), and Canada (6.1%) following far behind. Readers can see progress each quarter with data on aspects like website security grade and compliance with GDPR, NIST, HIPAA, and PCI DSS. In Q3, while GDPR compliance stands at 94.9%, NIST sees just 14.2% compliance. However, there is an upward trend.
Global Email Security Statistics for visibility of most frequent email misconfigurations that facilitate spam, phishing, and business email compromises (BEC) attacks. The most frequent misconfigurations in Q3 came from the Anycast Network (30.32%), which routes user requests to the nearest or best-performing server using a single shared IP address.
However, the top three countries were Brazil (12.1%), the US (7%) and Canada (3.8%). Based on the figures from Q1 to today, findings include a decline in good configuration across key metrics. Many categories, such as DKIM, DMARC, SPF, and PTR status, show a “good configuration” decline by Q4 2024. For instance, DKIM fell from 25.3% in Q1 to 20.3% in Q3. Additionally, a high percentage of servers are listed on blacklists, with 65.6% in Q3 2024, indicating a problem with reputation and email deliverability.
Global Website Privacy Statistics for visibility of trackers and other privacy-invasive technologies used on websites to spy over users, sometimes in violation of law. In Q3, the most frequently found privacy-invasive technologies were in the US (33.4%), Anycast Network (26.6%), Germany (4.2%), and The Netherlands (3.3%). In Q3, 68.4% of websites had a privacy policy, while only 18.41% had a cookie consent banner.
Global Website Security Statistics for visibility of website vulnerabilities and weaknesses, outdated software, and web server misconfigurations leading to data breaches. The most vulnerable websites in Q3 were found in the US (53.4%), Germany (7.1%), Ireland (3.9%) and Canada (3.9%). In Q3, a significant majority, 82.9%, equivalent to 736,533 websites, do not have WAF protection. This is an increase from the previous quarter (67.2%). Also, 38.8% of websites used outdated software, a slight decrease from 40.1% in Q2.
Global Dark Web Exposure & Phishing Detection Statistics for visibility of cyber-attacks and malicious activities on the Dark Web and tracking of phishing campaigns. The country with the highest dark web and phishing exposure across all quarters was the US, with 40.8% in Q3. Total incidents escalated dramatically to 901,816,735 in Q3 from 1,998,174 in Q2, while compromised access credentials reached 133,783,881 in Q3, up from 114,191 in Q2.
Global Mobile App Security Statistics for visibility of most common iOS and Android vulnerabilities in modern mobile apps that facilitate data or mobile device compromise. In Q3 2024, two of the most interesting statistics from the OWASP Mobile Top 10 Vulnerabilities report was the significant increase in vulnerabilities associated with the “Use of Hidden UI Elements,” rising from 0.7% in Q1 to 5.4% in Q3. Additionally, the relatively high warning rates of “Usage of Intent Filter” and “Missing Tapjacking Protection” remained consistent at around 6.1%.
Global Cloud Security Statistics for visibility of misconfigured or exposed cloud storage at most popular public cloud service providers (CSP) around the globe. From Q1 to Q3 2024, there was a significant decrease in the number of public files stored in cloud storage, dropping from 218,509 files to 45,782 files. The percentage of cloud storage classified as secure was 93.6% in Q3 2024, maintaining high-security compliance. This stayed close to the 94.8% seen in Q2.
Each of the statistics above is freely available in real-time and in a historical view, accessible either via the interactive dashboard or downloadable as a PDF. The figures in this release were based on data analyzed on 25 November 2024. Each statistic has a direct link for convenience in citations in research and other publications.
A Remarkable Year
2024 has been truly remarkable for ImmuniWeb Community Edition for several reasons. First, the total number of scans will hit a new record of 350,000,000 across all seven online tests. Second, data from the Community Edition will now be used for the next iteration of the globally recognized Data Breach Investigations Report (DBIR) published by Verizon while duly preserving the privacy of all users and the results of their scans.
Dr. Ilia Kolochenko, CEO & Chief Architect at ImmuniWeb, says: “At ImmuniWeb, we are delighted to commence our collaboration with Verizon’s DBIR team to share the unique statistical data that we have been accumulating for over five years. We are also excited to offer reliable statistical data on Internet security to academia, public entities, and private researchers to enrich their research data and make better-informed decisions or better-substantiated conclusions. Furthermore, public universities may be eligible for our anonymized data sets if they need raw data.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.