A staggering 97% of top cyber security companies have data leaks or other security incidents exposed on the dark Web, and on average, there are over 4 000 stolen credentials and other sensitive data exposed per company.
This was one of the findings of ImmuniWeb's research into the state of the global cyber security industry’s exposure on the dark Web this year. Even the cyber security industry itself is not immune to these problems as demonstrated in ImmuniWeb’s research.
Some 398 cyber security companies across 26 countries, mostly the US and Europe, were tested. Cyber security companies in the US suffered the most high-risk incidents, followed by the UK and Canada, then Ireland, Japan, Germany, Israel, the Czech Republic, Russia and Slovakia.
Other findings include that 631 512 verified security incidents were found with over 25%of those classed as a high or critical risk level, containing highly sensitive information such as plaintext credentials or PII including financial or similar data.
On average, there were 1 586 stolen credentials and other sensitive data exposed per cyber security company. Over 1 million unverified incidents were also discovered during the course of the research and only 159 462 were estimated as low risk.
Of the stolen passwords, 29% were weak, with less than eight characters or without uppercase letters, numbers or other special characters. The company also discovered that employees from 162 companies reuse their passwords, increasing the risk of password re-use attacks by bad actors.
Professional e-mails were also used on porn and adult dating sites, and ImmuniWeb discovered that 5 121 credentials had been stolen from hacked sites of this nature.
Third-party breaches represented a significant number of the incidents, with the research finding that 63% of Web sites of the companies did not comply with PCI DSS requirements - meaning they use vulnerable or outdated software (including JS libraries and frameworks), or have no Web application firewall in blocking mode.
Moreover, 48% of the company’s Web sites did not comply with GDPR requirements – because of vulnerable software, they had no conspicuously visible privacy policy or cookie disclaimer when cookies contain PII or traceable identifiers.
Ilia Kolochenko, CEO & founder of ImmuniWeb, said: “Today, cyber criminals endeavour to maximise their profits and minimise their risk of being apprehended by targeting trusted third parties instead of going after the ultimate victims. For instance, large financial institutions commonly have formidable technical, forensic and legal resources to timely detect, investigate and vigorously prosecute most of the intrusions, often successfully.”
On the other hand, he said their third-party partners, ranging from law firms to IT companies, usually lack internal expertise and budget required to react quickly to the growing spectrum of targeted attacks and APTs. “Eventually, they become low-hanging fruit for pragmatic attackers who also enjoy virtual impunity. In 2020, one need not spend on costly 0days but rather find several unprotected third parties with privileged access to the ‘Crown Jewels’ and swiftly crack the weakest link.”
He advises organisations to have holistic visibility and inventory of their data, IT and digital assets to maintain a strong security and compliance posture. “Modern technologies, such as machine learning and AI, can significantly simplify and accelerate a considerable number of laborious tasks spanning from anomaly detection to false positive reduction.”
However, these tools need to be supplemented by the continuous monitoring of the deep and dark Web, as well as countless resources in the surface Web, including public code repositories and paste Web sites, he ends.
“You cannot protect your organisation in isolation from the surrounding landscape that will likely become even more intricate in the near future.”
Share