Geneva, Switzerland, 08 September 2020 – global application security company ImmuniWeb, has conducted research into the state of the global cybersecurity industry’s exposure on the Dark Web this year. Its findings uncovered that 97% of leading cybersecurity companies have data leaks or other security incidents exposed on the Dark Web, while on average there are over 4,000 stolen credentials and other sensitive data exposed per cybersecurity company.
Even the cybersecurity industry itself is not immune to these in ImmuniWeb’s research.
Key findings that the research found relating to the leading global cybersecurity companies’ exposure on the Dark Web included:
- 97% of companies have data leaks and other security incidents exposed on the Dark Web.
- 631,512 verified security incidents were found with over 25% (or 160,529) of those classed as a high or critical risk level+ containing highly sensitive information such as plaintext credentials or PII including financial or similar data. Hence, on average, there are 1,586 stolen credentials and other sensitive data exposed per cybersecurity company. Over 1 million unverified incidents (1,027,395) were also discovered during ImmuniWeb’s research and only 159,462 were estimated as low risk.
- 29% of stolen passwords are weak, employees from 162 companies reuse their passwords – the research revealed that 29% of stolen passwords are weak, with less than eight characters or without uppercase letters, numbers or other special characters, and that employees from 162 companies (around 40%) reuse identical passwords on different breached This boosts the risk of password re-use attacks by cybercriminals.
- Professional emails were used on porn and adult dating sites – third-party breaches represented a considerable number of the incidents, as ImmuniWeb’s research found 5,121 credentials that had been stolen from hacked porn or adult dating websites.
- 63% of websites of the cybersecurity companies do not comply with PCI DSS requirements – which means that they use vulnerable or outdated software (including JS libraries and frameworks), or have no Web Application Firewall (WAF) in blocking mode.
48% of websites of the cybersecurity companies do not comply with GDPR requirements – because of vulnerable software, the absence of a conspicuously visible privacy policy or a missing cookie disclaimer when cookies contain PII or traceable identifiers.
- 91 companies had exploitable website security vulnerabilities, 26% of which are still unpatched – this finding came from ImmuniWeb referring to openly available data on the Open Bug BountyprojectOpen
The research was run using ImmuniWeb’s free online Domain Security Test, which combines proprietary OSINT technology enhanced with Machine Learning, to discover and classify Dark Web exposure.
ImmuniWeb tested 398 leading cybersecurity companies headquartered in 26 countries, mostly the US and Europe. Cybersecurity companies in the US suffered the most high and critical risk incidents, followed by the UK and Canada, then Ireland, Japan, Germany, Israel, the Czech Republic, Russia and Slovakia.
Of the 398 cybersecurity companies tested, only those in Switzerland, Portugal and Italy did not suffer any high or critical risk incidents, while those in Belgium, Portugal and France had the lowest number of verified incidents.
Ilia Kolochenko, CEO & Founder of ImmuniWeb, commented on the research:
“Today, cybercriminals endeavor to maximize their profits and minimize their risks of being apprehended by targeting trusted third parties instead of going after the ultimate victims. For instance, large financial institutions commonly have formidable technical, forensic and legal resources to timely detect, investigate and vigorously prosecute most of the intrusions, often successfully. Contrariwise, their third parties, ranging from law firms to IT companies, usually lack internal expertise and budget required to react quickly to the growing spectrum of targeted attacks and APTs. Eventually, they become low-hanging fruit for pragmatic attackers who also enjoy virtual impunity. In 2020, one need not spend on costly 0days but rather find several unprotected third parties with privileged access to the ‘Crown Jewels’ and swiftly crack the weakest link.
“Holistic visibility and inventory of your data, IT and digital assets is essential for any cybersecurity and compliance program today. Modern technologies, such as Machine Learning and AI, can significantly simplify and accelerate a considerable number of laborious tasks spanning from anomaly detection to false positive reduction. This picture is, however, to be complemented with a continuous monitoring of Deep and Dark Web, and countless resources in the Surface Web, including public code repositories and paste websites. You cannot protect your organization in isolation from the surrounding landscape that will likely even more intricate in the near future.”
The full research findings can be viewed here: https://www.immuniweb.com/blog/state-cybersecurity-dark-web-exposure.html
