Every organization considers itself unique. In many respects, the notion is accurate: Companies each have specialized corporate cultures, best practices and mission statements that they hope sets them apart from the competition. When it comes to IT vulnerabilities, however, a new study from NCC Group found that businesses have more in common than they realize — and this shared experience may pave the way for better cybersecurity.
Common Ground With Vulnerabilities
SecurityWeek has details on the upcoming study, which ran a commercial-grade scanning product across the networks of 100 organizations from a variety of industry verticals, covering everything from charity organizations to energy companies and financial institutions. Completed over 15 months from February 2014 to May 2015, the study produced 908,000 security issues. The most common “were related to Web application security, particularly flaws affecting the Web server or language in which the Web application was written.”
There were outliers: In the transport industry, for example, server and language issues were by the far the most prevalent type of failure points. Meanwhile, health care stood out as one of the quickest industries to respond once flaws were identified. In most cases, health care vulnerabilities were resolved in less than 10 weeks.
Other findings of note include numerous network issues related to cryptography, such as SSH, SSL and PKI, along with a failure by many companies to meet both internal and third-party best practice guidelines for securing Web apps. It’s also worth noting that while Linux-based bugs were typically fixed in 20 weeks or less, just 75 percent of those found in Microsoft systems were patched during the same period, and 10 percent of all Microsoft problems were still unresolved after a year.
The most interesting findings in the report, however, relate to speed and specificity. In cases where environment-specific solutions are necessary to solve problems, such as shutting down critical services to apply updates or changing default configurations, companies tend to drag their heels. And when it comes to speed, companies are eager to fix issues when they’re first identified: The report found that more than half of all vulnerabilities were patched in the first 10 to 20 weeks. After that, however, enthusiasm died down, and fixes were carried out only when time and money allowed.
Mobile devices and the emerging Internet of Things (IoT) also play a role in common cybersecurity. For example, many mobile apps carry similar flaws such as bypassing login prompts, letting users create weak passwords or not bothering to encrypt sensitive data. And when it comes to IoT devices, CRN noted that companies lack the tools necessary to secure this burgeoning ecosystem.
Doomed to Repeat?
So where does this common vulnerability report leave enterprises? Are they destined to make the same mistakes over and over, like a modern-day Sisyphus pushing out one security best practice after another, only to have them come tumbling back down and force a complete rework? Not exactly.
First, companies need to share what NCC Group has found to be commonplace: the insecurity of their Web apps. By combining forces, it’s possible to devise better defenses. Cybercriminals are willing to share their exploit tips and kits, and law-abiding companies need to do the same with threat intelligence sharing.
In addition, there’s a need for common ground — a way to build and scale up applications that is globally recognized, standardized and lowers the possibility of one-off attacks by malicious actors. Simply put, companies need to give up the idea that they’re unique when it comes to cybersecurity. In fact, similarity is a kind of strength: The experience of all used to the benefit of all.