October 6, 2015 By Douglas Bonderud 2 min read

Every organization considers itself unique. In many respects, the notion is accurate: Companies each have specialized corporate cultures, best practices and mission statements that they hope sets them apart from the competition. When it comes to IT vulnerabilities, however, a new study from NCC Group found that businesses have more in common than they realize — and this shared experience may pave the way for better cybersecurity.

Common Ground With Vulnerabilities

SecurityWeek has details on the upcoming study, which ran a commercial-grade scanning product across the networks of 100 organizations from a variety of industry verticals, covering everything from charity organizations to energy companies and financial institutions. Completed over 15 months from February 2014 to May 2015, the study produced 908,000 security issues. The most common “were related to Web application security, particularly flaws affecting the Web server or language in which the Web application was written.”

There were outliers: In the transport industry, for example, server and language issues were by the far the most prevalent type of failure points. Meanwhile, health care stood out as one of the quickest industries to respond once flaws were identified. In most cases, health care vulnerabilities were resolved in less than 10 weeks.

Other findings of note include numerous network issues related to cryptography, such as SSH, SSL and PKI, along with a failure by many companies to meet both internal and third-party best practice guidelines for securing Web apps. It’s also worth noting that while Linux-based bugs were typically fixed in 20 weeks or less, just 75 percent of those found in Microsoft systems were patched during the same period, and 10 percent of all Microsoft problems were still unresolved after a year.

The most interesting findings in the report, however, relate to speed and specificity. In cases where environment-specific solutions are necessary to solve problems, such as shutting down critical services to apply updates or changing default configurations, companies tend to drag their heels. And when it comes to speed, companies are eager to fix issues when they’re first identified: The report found that more than half of all vulnerabilities were patched in the first 10 to 20 weeks. After that, however, enthusiasm died down, and fixes were carried out only when time and money allowed.

Mobile devices and the emerging Internet of Things (IoT) also play a role in common cybersecurity. For example, many mobile apps carry similar flaws such as bypassing login prompts, letting users create weak passwords or not bothering to encrypt sensitive data. And when it comes to IoT devices, CRN noted that companies lack the tools necessary to secure this burgeoning ecosystem.

Doomed to Repeat?

So where does this common vulnerability report leave enterprises? Are they destined to make the same mistakes over and over, like a modern-day Sisyphus pushing out one security best practice after another, only to have them come tumbling back down and force a complete rework? Not exactly.

First, companies need to share what NCC Group has found to be commonplace: the insecurity of their Web apps. By combining forces, it’s possible to devise better defenses. Cybercriminals are willing to share their exploit tips and kits, and law-abiding companies need to do the same with threat intelligence sharing.

In addition, there’s a need for common ground — a way to build and scale up applications that is globally recognized, standardized and lowers the possibility of one-off attacks by malicious actors. Simply put, companies need to give up the idea that they’re unique when it comes to cybersecurity. In fact, similarity is a kind of strength: The experience of all used to the benefit of all.

More from

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

ICS CERT predictions for 2024: What you need to know

4 min read - As we work through the first quarter of 2024, various sectors are continuously adapting to increasingly complex cybersecurity threats. Sectors like healthcare, finance, energy and transportation are all regularly widening their digital infrastructure, resulting in larger attack surfaces and greater risk exposure.Kaspersky just released their ICS CERT Predictions for this year, outlining the key cybersecurity challenges industrial enterprises will face in the year ahead. The forecasts emphasize the persistent nature of ransomware threats, the increasing prevalence of cosmopolitical hacktivism, insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today