Adam Bannister

Editor, IFSEC Global

Author Bio ▼

Adam Bannister is editor of IFSEC Global. A former managing editor at Dynamis Online Media Group, he has been at the helm of the UK's leading fire and security publication since 2014.
October 29, 2018

Sign up to free email newsletters


Mobile access case study: University of Hull students impressed with HID Global upgrade


WATCH: 98% of FT 500 companies fall short on web app firewalls

The shadow, legacy and abandoned IT assets of the world’s biggest organisations pose a serious security risk, research by cybersecurity firm High-Tech Bridge has revealed.

The Geneva-based company examined the external web and mobile applications of FT 500 organisations in Europe and the US.

We’ve outlined some key findings of the research – also set out in a blog post on the High-Tech Bridge website – in a short video below.

When it comes to grasping where vulnerabilities lie in the sprawling, diverse infrastructure of blue-chip organisations, a famous quote from Donald Rumsfeld, then US Secretary of Defense, is instructive: “There are known knowns [which are] things we know we know [and] known unknowns [which are] things we do not know. But there are also unknown unknowns — the ones we don’t know we don’t know […] the latter category [tends] to be the difficult ones.”

Shadow, legacy and abandoned IT assets can usually be characterised as ‘known unknowns’ or ‘unknown unknowns’. But Gartner says that 99% of vulnerabilities exploited by the end of 2020 will be known to security and IT professionals at the time of the incident.

Shadow IT assets are defined by High-Tech Bridge as built without proper coordination with the organisation’s central management and IT/security personnel. An example might be acloud-based file-sharing service with current deals and contracts, used by sales teams.

Legacy IT assets are long-established systems whose maintenance has become neglected, usually because of complexity, human factors or lack of resource. Sometimes engineers leave the company without transferring code and relevant knowledge. An example might be a module in a core e-banking system containing client data.

Abandoned IT assets have been forgotten, abandoned or lost. An example might be a pre-production test version of an ERP system with real customers’ data.

Among the insights revealed by the research:

  • 92% of external web applications have exploitable security flaws or weaknesses
  • Every single company studied has some non-compliance issues around GDPR
  • 19% have unprotected external cloud storage
  • 45.1% of US systems and 28.9% of EU systems have invalid SSL certificates because of untrusted Certificate Authority (CA), expiration or issuance for a different domain name
  • 221 US companies have 1,232 vulnerability submissions on Open Bug Bounty, 38% of which are not patched. Some 162 EU companies have 625 reports with 415 patch vulnerabilities, with 34% still unpatched

“The research has clearly demonstrated that abandoned and unmaintained applications are a plague of today,” said Ilia Kolochenko, CEO and founder, High-Tech Bridge. “Large organisations have so many intertwined websites, web services and mobile apps that they often forget about a considerable part of them. Legacy applications, personnel turnover, lack of resources, outsourcing and offshoring exacerbate the situation.

“On the other side, cybercriminals are well organised and very proactive. As soon as a new vulnerability is discovered in a popular CMS – they instantly start its exploitation in the wild, leaving cybersecurity teams virtually with no chance. Some hacking teams and cybercrime gangs will even patch your web application just after the breach – to preclude others from getting in. Therefore, if you don’t patch your web applications – bad guys will do this for you.”

“While web applications remain the Achilles’ heel of modern companies and organisations, lawmakers frequently make their lives even more complicated. For example, with GDPR, many organisations had to temporarily give up their practical cybersecurity and concentrate all their efforts on paper-based compliance. New cybersecurity regulations may do more harm than benefit for the society if improperly imposed, enforced or implemented.”

High-Tech Bridge recently launched an AI-based version of ImmuniWeb Discovery, which helps companies discover their external applications and assess and prioritise risks and threats.

Free Download: Cybersecurity and physical security systems: how to implement best practices

If you are involved in the operation or maintenance of physical security systems, this resource from Vanderbilt will help you choose the right equipment for staying diligent. It provides a five step process for strengthening the resilience of those systems against cyber-attack, as well as explaining what cyber-attacks mean in an interconnected world.

Discover the five step process now by clicking here.

Related Topics

Leave a Reply

Be the First to Comment!

Notify of