Tips for Your Vendor Security: Closing the Most Common Cyber Gaps
Your vendors probably have cyber gaps. Which are the most common, and how can they be remedied?
To answer these questions, Panorays used data from our cyber posture evaluations of tens of thousands of vendors from numerous industries over long periods of time. We extracted the findings that appeared in a large percentage of the companies and omitted obvious low-risk findings that recur in all companies, such as missing recommended HTTP response headers. We focused on cyber gaps that may have a real effect on the resilience of the vendors, and thus the organizations themselves.
Patch management is a very common and painful subject in the security world, because it involves a great deal of effort and can impact business continuity. We still see that the majority of companies are struggling to patch against known critical vulnerabilities.
Tip: In many cases, attacks against unpatched technologies are opportunistic, rather than targeted. For this reason, it may be advisable to start with other less costly mitigations like obscuring tech versions, virtual patching and WAF. If the company simply obscures the technology they are using, they may be able to protect themselves from these opportunistic attackers.
Significant web assets not protected by WAF
Companies affected: 48%
Websites and apps are targeted by a wide range of attacks—from scraping and DDoS to injections and cross-site scripting. Web Application Firewalls (WAF) have become a must-have for basic protection.
Tip: The emphasis here is on significant. Not every asset requires the same amount of security measures. However, critical web assets (e.g. handling payment data) require protections such as Web Application Firewalls.
Supporting deprecated SSL protocols
Companies affected: 40%
A surprisingly high percentage of companies still support deprecated and vulnerable protocols like SSL v2. This could be a single asset in a company with thousands of assets. These protocols have been deprecated for years and practically disable the advantages of encryption and authentication.
Tip: Companies should be able to easily remediate this gap. This shouldn’t be an issue of supporting legacy clients, as TLS, which replaces SSL v2, has been available since 1999.
Vulnerable default CMS configuration
Companies affected: 38%
Content Management Systems like WordPress are widespread, and so are their security vulnerabilities. Many users don’t change default configurations like passwords, user exposure and login pages.
Tip: Each CMS solution has a security guide that should be followed to make sure security best practices are used.
Exposed high risk services
Companies affected: 34%
We would expect less companies to expose services that are prone to attacks, like database ports. Most of the services may be for non-production environments or non-critical data, but still, there’s an enormous number of data breaches originating from misconfigured servers.
Tip: Even if the services cannot be completely closed, they should at least be limited and not publicly accessible to the entire Internet.
While the above are the most common cyber gaps we found, they are just the tip of the iceberg. Because technology keeps on evolving, new vulnerabilities are constantly being introduced, leading to new cyber gaps that can be exploited by criminals. For this reason, it’s important for organizations to assess and continuously monitor vendors to uncover all cyber gaps and close them.