New vulnerability research by Outpost24 has revealed interesting data trends in vulnerability management across different regions and sectors. When analysed, the number of high, medium and low-risk security vulnerabilities based on CVSS criticality shows the Netherlands had the largest percentage of high-risk critical vulnerabilities in Europe (50%), with the UK marginally behind in second (43%). The country which had the most severe flaws outside of Europe was Brazil (47%) with Japan having the lowest percentage of high-risk vulnerabilities out of the markets investigated.
When exploring specific sectors, manufacturing had the highest number of critical risk level vulnerabilities at 50%, indicating there is a severe lack of key vulnerability management processes within this industry. Indeed, the manufacturing sector was ahead by some distance, with all other sectors falling between the 10% -20% medium risk threshold. With the Fourth Industrial Revolution upon us, most if not all manufacturing enterprises have adopted connected technology, artificial intelligence or machine learning, leaving a wider surface area for exploitation.
The research also revealed the average time to remediate vulnerabilities was 105 days – giving cybercriminals close to a three-month window of opportunity to infiltrate systems if left unpatched. In fact, the industry breakdown revealed that the Energy and Agriculture and Retail/Wholesale were the two most susceptible to being attacked with patch times of 182 days and 135 days respectively.
“These findings show the significant risks businesses are exposed to and could leave you open to a dangerous cyberattack”, said Srinivasan Jayaraman, Vulnerability Research Manager at Outpost24. “Hackers aren’t fussy which industry or region you are in; they’re looking for these common types of weakness to launch successful attacks.”
The data was collected over a 12-month period from November 2018 to 2019 where Outpost24 analysed
- CWE-16 was the most common weakness within 82% of cases relating to software misconfiguration. This can occur through weak/default passwords being implemented, deprecated protocols, open public database instances or the file system is left exposed instead of being encrypted
- CWE-311 and CWE-523 both result in missing encryption of sensitive data and unprotected transport of credentials. This can lead to breaches of data protection regulations such as GDPR and CCPA
- A6 – security misconfiguration such as the use of default passwords and improper access controls were reported within 86% of web applications.
- A7 – The number of XSS (Cross-Site Scripting) attacks has increased, and is one of the most common areas hackers look to exploit
To view the full research and a full breakdown of the most prolific vulnerabilities reported, click here: https://outpost24.com/