IFSEC Insider is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
Adam Bannister is a contributor to IFSEC Global, having been in the role of Editor from 2014 through to November 2019. Adam also had stints as a journalist at cybersecurity publication, The Daily Swig, and as Managing Editor at Dynamis Online Media Group.
The shadow, legacy and abandoned IT assets of the world’s biggest organisations pose a serious security risk, research by cybersecurity firm High-Tech Bridge has revealed.
The Geneva-based company examined the external web and mobile applications of FT 500 organisations in Europe and the US.
We’ve outlined some key findings of the research – also set out in a blog poston the High-Tech Bridge website – in a short video below.
When it comes to grasping where vulnerabilities lie in the sprawling, diverse infrastructure of blue-chip organisations, a famous quote from Donald Rumsfeld, then US Secretary of Defense, is instructive: “There are known knowns [which are] things we know we know [and] known unknowns [which are] things we do not know. But there are also unknown unknowns — the ones we don’t know we don’t know […] the latter category [tends] to be the difficult ones.”
Shadow, legacy and abandoned IT assets can usually be characterised as ‘known unknowns’ or ‘unknown unknowns’. But Gartner says that 99% of vulnerabilities exploited by the end of 2020 will be known to security and IT professionals at the time of the incident.
Shadow IT assets are defined by High-Tech Bridge as built without proper coordination with the organisation’s central management and IT/security personnel. An example might be acloud-based file-sharing service with current deals and contracts, used by sales teams.
Legacy IT assets are long-established systems whose maintenance has become neglected, usually because of complexity, human factors or lack of resource. Sometimes engineers leave the company without transferring code and relevant knowledge. An example might be a module in a core e-banking system containing client data.
Abandoned IT assets have been forgotten, abandoned or lost. An example might be a pre-production test version of an ERP system with real customers’ data.
Among the insights revealed by the research:
92% of external web applications have exploitable security flaws or weaknesses
Every single company studied has some non-compliance issues around GDPR
19% have unprotected external cloud storage
45.1% of US systems and 28.9% of EU systems have invalid SSL certificates because of untrusted Certificate Authority (CA), expiration or issuance for a different domain name
221 US companies have 1,232 vulnerability submissions on Open Bug Bounty, 38% of which are not patched. Some 162 EU companies have 625 reports with 415 patch vulnerabilities, with 34% still unpatched
“The research has clearly demonstrated that abandoned and unmaintained applications are a plague of today,” said Ilia Kolochenko, CEO and founder, High-Tech Bridge. “Large organisations have so many intertwined websites, web services and mobile apps that they often forget about a considerable part of them. Legacy applications, personnel turnover, lack of resources, outsourcing and offshoring exacerbate the situation.
“On the other side, cybercriminals are well organised and very proactive. As soon as a new vulnerability is discovered in a popular CMS – they instantly start its exploitation in the wild, leaving cybersecurity teams virtually with no chance. Some hacking teams and cybercrime gangs will even patch your web application just after the breach – to preclude others from getting in. Therefore, if you don’t patch your web applications – bad guys will do this for you.”
“While web applications remain the Achilles’ heel of modern companies and organisations, lawmakers frequently make their lives even more complicated. For example, with GDPR, many organisations had to temporarily give up their practical cybersecurity and concentrate all their efforts on paper-based compliance. New cybersecurity regulations may do more harm than benefit for the society if improperly imposed, enforced or implemented.”
High-Tech Bridge recently launched an AI-based version of ImmuniWeb Discovery, which helps companies discover their external applications and assess and prioritise risks and threats.
WATCH: 98% of FT 500 companies fall short on web app firewallsThe shadow, legacy and abandoned IT assets of the world’s biggest organisations pose a serious security risk, research by cybersecurity firm High-Tech Bridge has revealed. We’ve outlined some key findings in a short video.
Adam Bannister
IFSEC Insider | Security and Fire News and Resources
Related Topics
Paxton employees raise over £9k for Teenage Cancer Trust
Photo posts from the 2023 Security & Fire Excellence Awards
Winners revealed for 2023 Security & Fire Excellence Awards