We live in a digital world, so there’s no shortage of threats facing organizations today. Cobalt recently released its fifth annual "State of Penetration Testing 2023" report, which provides valuable insights into the vulnerabilities and threats companies are encountering. As new technologies emerge, the risks associated with data breaches and cyberattacks continue to grow. This data underscores what many security practitioners know to be true: The importance of staying up to date with the latest security trends and implementing proactive measures to protect against these threats is critical.
One of the key takeaways from the report is the prevalence of Web application vulnerabilities. These vulnerabilities, which include things such as SQL injection and cross-site scripting, are a major source of risk for many organizations. In fact, Cobalt found that Web application vulnerabilities accounted for over 40% of all vulnerabilities discovered in 2022. This is a significant increase from the previous year, and highlights the need for organizations to prioritize their Web application security efforts.
Another major vulnerability we’re seeing is the use of insecure protocols. The report found that many organizations continue to use outdated, insecure protocols like FTP and Telnet, despite the known risks associated with these protocols. This is concerning, as these protocols are easily exploited by attackers and can result in significant data breaches. The known solutions exist, yet the prevalence of the issues remain.
Additionally, the threat posed by social engineering attacks ranks highly as a pitfall across companies of all sizes. Social engineering attacks, which include things such as phishing and spear-phishing, are an ever-growing concern for organizations. These attacks rely on psychological manipulation to trick individuals into divulging sensitive information or performing actions that could compromise security. We found that social engineering attacks accounted for 20% of all reported security incidents in 2022, making them a significant threat to organizations regardless of size.
What Can Organizations Do to Protect Against These Vulnerabilities and Threats?
One of the most important things companies can do is focus on proactive security measures. This includes things like regular vulnerability scanning, penetration testing, as well as the implementation of robust security protocols and procedures like consistent employee cyber training. You are only as strong as your weakest link.
Regular vulnerability scanning and penetration testing are essential for identifying potential vulnerabilities in an organization's network and applications. By regularly scanning for vulnerabilities, organizations can proactively identify and remediate security risks before they can be exploited by attackers. Additionally, penetration testing can help organizations to better understand their overall security posture, and identify potential weaknesses before they can be exploited by malicious actors.
In addition to regular scanning and testing, organizations should also prioritize the implementation of robust security protocols and procedures. This includes things like the use of strong passwords and two-factor authentication, as well as secure protocols like SSH and HTTPS. Moreover, organizations should develop and implement a comprehensive security policy that outlines the steps that employees should take to protect sensitive data and systems.
Finally, it is important for organizations to remain vigilant when it comes to social engineering attacks. This means providing regular training to employees on how to identify and avoid these types of attacks, as well as implementing robust security protocols to protect against phishing and other social engineering tactics before they reach employees.
Overall, the new "State of Penetration Testing 2023" report highlights the need for organizations to remain vigilant when it comes to the risks associated with data breaches and cyberattacks. By implementing proactive security measures and staying up to date with the latest security trends, organizations can protect themselves against these threats and ensure the safety of their sensitive data and systems. With the continued evolution of technology and the increasing sophistication of attackers, it's more important than ever for organizations to prioritize their security efforts and take a proactive approach to protecting against vulnerabilities and threats.
About the Author
Andrew Obadiaru is the chief information security officer at Cobalt, which provides a pentest-as-a-service (PtaaS) platform that is modernizing the traditional, static pentesting model. Andrew is responsible for maintaining the confidentiality, integrity, and availability of Cobalt's systems and data. Andrew has 20+ years in the security and technology space, with a history of managing and mitigating risk across changing technologies, software, and diverse platforms.