As the end of the year approaches, we at Panorays wanted to share what we found to be the top five cyber gaps affecting third-party vendors in 2018.
The Fab Five
Panorays has the unique ability to evaluate the cyber posture of a large number of third parties from numerous industries over long periods of time. In our evaluation of over 2,000 suppliers, we extracted the findings that appeared in a large percentage of the companies and omitted obvious low-risk findings that recur in all companies (e.g. HTTP headers). We focused on the top five cyber gaps that may have a real effect on the resilience of the vendors, and thus the organizations themselves.
And now for the list!
5. Open port with high risk service
Despite the frequent news of breaches originating from publicly accessible databases (Mongo, Elastic), we identified 13% of the vendors as having high-risk services open to the world. Not surprisingly, the “Computer Software” industry leads the pack with 19%. This can be attributed to the heavy adoption of new technologies and a growth-over-security mindset.
4. Not using HTTPS for significant web assets
You don’t see many critical sites that still allow unencrypted HTTP traffic, but apparently there are still sites that don’t support HTTPS at all. In fact, 13% of the vendors had significant web assets; for example, sites with login forms, with no possibility for HTTPS. The insurance industry has a much higher percentage of 26%. This could be because these companies maintain older assets that haven’t been brought up-to-date with security standards.
3. Significant web assets not protected by Web Application Firewall
Websites and apps are targeted by a wide range of attacks—from scraping and DDoS to injections and cross-site scripting. Web Application Firewalls (WAF) have become a must-have for basic protection. The high price, complexity and intrusiveness of WAF can explain why 32% of vendors choose to try their luck without it.
2. Untrusted certificate for significant web assets
Companies leave around assets with untrusted certificates like socks on the living room floor. These could be self-signed, expired or invalid certificates. The fact is they are not performing their authentication duties. Over 80% of vendors have assets with untrusted certificates, meaning they don’t see this as a high priority issue—probably because these are unused or unofficial assets. However, often these are the entry points hackers are looking for: unmonitored and unpatched servers inside the organizational network.
1. Unpatched technology with known high severity vulnerabilities
We finally reached the most common cyber gap in third parties for 2018: unpatched technologies. Not only are these products outdated, but their used versions have known vulnerabilities and exploits available for all.
On the other hand, anyone who had to manage patching in a production environment can understand why 92% of the companies are affected by technologies with known high severity vulnerabilities.
This is also an opportunity to give a negative shout-out to the telecommunications industry, which performed below average in all five cyber gaps. Let’s hope they do better next year.
While these are the most common cyber gaps we discovered, many more exist. Improving third parties' cyber posture requires identifying attack surfaces, continuous monitoring and staying updated about industry best practices. An effective third-party management solution that implements these processes can make all the difference.