October 6, 2015 By Douglas Bonderud 2 min read

Every organization considers itself unique. In many respects, the notion is accurate: Companies each have specialized corporate cultures, best practices and mission statements that they hope sets them apart from the competition. When it comes to IT vulnerabilities, however, a new study from NCC Group found that businesses have more in common than they realize — and this shared experience may pave the way for better cybersecurity.

Common Ground With Vulnerabilities

SecurityWeek has details on the upcoming study, which ran a commercial-grade scanning product across the networks of 100 organizations from a variety of industry verticals, covering everything from charity organizations to energy companies and financial institutions. Completed over 15 months from February 2014 to May 2015, the study produced 908,000 security issues. The most common “were related to Web application security, particularly flaws affecting the Web server or language in which the Web application was written.”

There were outliers: In the transport industry, for example, server and language issues were by the far the most prevalent type of failure points. Meanwhile, health care stood out as one of the quickest industries to respond once flaws were identified. In most cases, health care vulnerabilities were resolved in less than 10 weeks.

Other findings of note include numerous network issues related to cryptography, such as SSH, SSL and PKI, along with a failure by many companies to meet both internal and third-party best practice guidelines for securing Web apps. It’s also worth noting that while Linux-based bugs were typically fixed in 20 weeks or less, just 75 percent of those found in Microsoft systems were patched during the same period, and 10 percent of all Microsoft problems were still unresolved after a year.

The most interesting findings in the report, however, relate to speed and specificity. In cases where environment-specific solutions are necessary to solve problems, such as shutting down critical services to apply updates or changing default configurations, companies tend to drag their heels. And when it comes to speed, companies are eager to fix issues when they’re first identified: The report found that more than half of all vulnerabilities were patched in the first 10 to 20 weeks. After that, however, enthusiasm died down, and fixes were carried out only when time and money allowed.

Mobile devices and the emerging Internet of Things (IoT) also play a role in common cybersecurity. For example, many mobile apps carry similar flaws such as bypassing login prompts, letting users create weak passwords or not bothering to encrypt sensitive data. And when it comes to IoT devices, CRN noted that companies lack the tools necessary to secure this burgeoning ecosystem.

Doomed to Repeat?

So where does this common vulnerability report leave enterprises? Are they destined to make the same mistakes over and over, like a modern-day Sisyphus pushing out one security best practice after another, only to have them come tumbling back down and force a complete rework? Not exactly.

First, companies need to share what NCC Group has found to be commonplace: the insecurity of their Web apps. By combining forces, it’s possible to devise better defenses. Cybercriminals are willing to share their exploit tips and kits, and law-abiding companies need to do the same with threat intelligence sharing.

In addition, there’s a need for common ground — a way to build and scale up applications that is globally recognized, standardized and lowers the possibility of one-off attacks by malicious actors. Simply put, companies need to give up the idea that they’re unique when it comes to cybersecurity. In fact, similarity is a kind of strength: The experience of all used to the benefit of all.

More from

SoaPy: Stealthy enumeration of Active Directory environments through ADWS

10 min read - Introduction Over time, both targeted and large-scale enumeration of Active Directory (AD) environments have become increasingly detected due to modern defensive solutions. During our internship at X-Force Red this past summer, we noticed FalconForce’s SOAPHound was becoming popular for enumerating Active Directory environments. This tool brought a new perspective to Active Directory enumeration by performing collection via Active Directory Web Services (ADWS) instead of directly through Lightweight Directory Access Protocol (LDAP) as other AD enumeration tools had in the past.…

Smoltalk: RCE in open source agents

26 min read - Big shoutout to Hugging Face and the smolagents team for their cooperation and quick turnaround for a fix! Introduction Recently, I have been working on a side project to automate some pentest reconnaissance with AI agents. Just after I started this project, Hugging Face announced the release of smolagents, a lightweight framework for building AI agents that implements the methodology described in the ReAct paper, emphasizing reasoning through iterative decision-making. Interestingly, smolagents enables agents to reason and act by generating…

4 ways to bring cybersecurity into your community

4 min read - It’s easy to focus on technology when talking about cybersecurity. However, the best prevention measures rely on the education of those who use technology. Organizations training their employees is the first step. But the industry needs to expand the concept of a culture of cybersecurity and take it from where it currently stands as an organizational responsibility to a global perspective.When every person who uses technology — for work, personal use and school — views cybersecurity as their responsibility, it…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today