The Geneva-based company examined the external web and mobile applications of FT 500 organisations in Europe and the US.
We’ve outlined some key findings of the research – also set out in a blog post on the High-Tech Bridge website – in a short video below.
When it comes to grasping where vulnerabilities lie in the sprawling, diverse infrastructure of blue-chip organisations, a famous quote from Donald Rumsfeld, then US Secretary of Defense, is instructive: “There are known knowns [which are] things we know we know [and] known unknowns [which are] things we do not know. But there are also unknown unknowns — the ones we don’t know we don’t know […] the latter category [tends] to be the difficult ones.”
Shadow, legacy and abandoned IT assets can usually be characterised as ‘known unknowns’ or ‘unknown unknowns’. But Gartner says that 99% of vulnerabilities exploited by the end of 2020 will be known to security and IT professionals at the time of the incident.
Shadow IT assets are defined by High-Tech Bridge as built without proper coordination with the organisation’s central management and IT/security personnel. An example might be acloud-based file-sharing service with current deals and contracts, used by sales teams.
Legacy IT assets are long-established systems whose maintenance has become neglected, usually because of complexity, human factors or lack of resource. Sometimes engineers leave the company without transferring code and relevant knowledge. An example might be a module in a core e-banking system containing client data.
Abandoned IT assets have been forgotten, abandoned or lost. An example might be a pre-production test version of an ERP system with real customers’ data.
Among the insights revealed by the research:
“The research has clearly demonstrated that abandoned and unmaintained applications are a plague of today,” said Ilia Kolochenko, CEO and founder, High-Tech Bridge. “Large organisations have so many intertwined websites, web services and mobile apps that they often forget about a considerable part of them. Legacy applications, personnel turnover, lack of resources, outsourcing and offshoring exacerbate the situation.
“On the other side, cybercriminals are well organised and very proactive. As soon as a new vulnerability is discovered in a popular CMS – they instantly start its exploitation in the wild, leaving cybersecurity teams virtually with no chance. Some hacking teams and cybercrime gangs will even patch your web application just after the breach – to preclude others from getting in. Therefore, if you don’t patch your web applications – bad guys will do this for you.”
“While web applications remain the Achilles’ heel of modern companies and organisations, lawmakers frequently make their lives even more complicated. For example, with GDPR, many organisations had to temporarily give up their practical cybersecurity and concentrate all their efforts on paper-based compliance. New cybersecurity regulations may do more harm than benefit for the society if improperly imposed, enforced or implemented.”
High-Tech Bridge recently launched an AI-based version of ImmuniWeb Discovery, which helps companies discover their external applications and assess and prioritise risks and threats.
