Research Reports Reveal Web Application, Patching Worries

New reports released the week of April 2-6, provide a snapshot of the top concerns facing enterprise IT today, including data breaches, the challenges of patching and how to improve cyber-security awareness.

Security vulnerabilities are rampant, while software patching remains a key challenge. These are a few of the high-level findings from research reports released the week of April 2-6. 

In the aggregate, the reports provide a snapshot of some of the top concerns facing enterprise IT today, including data breaches, patching and cyber-security professional staffing.

Digital Shadows released a study that found 1.5 billion records were left exposed online in the first quarter of 2018. The 2018 Trustwave Global Security Report came to the startling conclusion that 100 percent of the web applications tested had at least one vulnerability. ServiceNow in partnership with the Ponemon Institute released a report on the state of software patching, while McAfee released a report about the IT security skills shortage.

The largest report released during the week was the 105-page 2018 Trustwave Global Security Report that provided highlights of Trustwave's security investigations conducted in 2017.

The big finding in the report was that 100 percent of tested web applications had at least one vulnerability. Most applications had more than one vulnerability, with Trustwave reporting a median of 11 vulnerabilities detected per tested application. Many (85.9 percent) of the web vulnerabilities involved some form of session management issue that could potentially enable an attacker to get unauthorized access.

Trustwave's report also highlighted the importance of organizations being able to detect breaches internally as opposed to having them discovered by an external source. The time to detection for data breaches grew for incidents that were discovered externally from a median of 65 days in 2016, up to 83 days in 2017. On a positive note however, for breaches that were discovered internally by organizations, Trustwave reported the time to discovery fell from a median of 16 days in 2016 down to same day detection in 2017, meaning breaches were being discovered nearly same day they occurred.

More than a Billion files exposed

Also on April 5, Digital Shadows released a report looking at the state of exposed files in the first quarter of 2018. The Digital Shadows analysis found 1.55 billion business and consumers files that were publicly exposed across the web.

Only 7 percent of the exposed files were found on Amazon S3 cloud storage buckets. Other causes of exposed filed included misconfigured SMB file sharing (33 percent) and FTP file transfer services (26 percent).

"While we often hyperfocus on responding to adversaries conducting intrusions into our environments and silently exfiltrating our data, we aren't focusing on our external digital footprints and the data that is already publicly available via misconfigured services," Rick Holland, Chief Information Security Officer at Digital Shadows stated.

Trouble with patching

ServiceNow working with the Ponemon Insitute released a report titled,“Today’s State of Vulnerability Response: Patch Work Demands Attention,” on April 5.

A key conclusion of the report was something ServiceNow referred to as the "Patching Paradox" where organizations are having trouble keeping up with patching so are seeking to hire more IT staff, but can't find them.

The report found that organizations spend 321 hours a week on average, managing the vulnerability response process including patching. 64 percent of organizations said they intend to hire more dedicated staff for patching over the next 12 months.  Yet 61 percent also reported that using manual processes put them at a disadvantage when patching vulnerabilities.

"Adding more talent alone won't address the core issue plaguing today's security teams," Sean Convery, vice president and general manager, ServiceNow Security and Risk, stated. "Automating routine processes and prioritizing vulnerabilities will help organizations avoid the 'patching paradox,' instead focusing their people on critical work to dramatically reduce the likelihood of a breach."

Gamification techniques can help

Also in the area of IT staffing, McAfee released a report on April 4, titled, "Winning the Game" that provides insight into how organizations can improve their employees cyber-security skills.  McAfee's study found that using gamification techniques, that turn tasks and learning activities into games, can be a big help to improving cyber-security awareness.

57 percent of respondents told McAfee that using games increases cyber-security awareness of how breaches can occur. Additionally 77 percent of of senior managers polled by McAfee agreed that their companies could be safer it they made use of more gamification techniques.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.