Data Breach Vulnerability Afflicts Financial Websites: Report
More than one third of financial service industry websites experience at least one serious vulnerability, such as a data exposure, every single day, according to Santa Clara, Calif.-based WhiteHat Security’s Website Security Statistics Report.
The report provided a state of website security and the issues that organizations must address in order to safely conduct business online. The 2015 report found that while no true security best practices exist, the key is in identifying the security metrics that mean the most to the organization and focusing on those activities to remediate specific vulnerabilities.
Through examining web application vulnerabilities of more than 30,000 websites managed by WhiteHat Sentinel, researchers gathered the following statistics: 35% of finance and insurance sites are always vulnerable, meaning sites had at least one serious vulnerability exposed every day of the year. Only 25% of finance and insurance sites had one or more serious vulnerability exposed less than 30 days of the year. Insufficient transport layer protection was the most likely vulnerability in the financial/insurance vertical.
With serious vulnerabilities attackers could take control over all, or some part, of the website, compromise user accounts on the system, access sensitive data, violate compliance requirements and possibly make headline news.
Verizon’s 2015 Data Breach Investigations Report recently shared that for the financial services industry, web application vulnerabilities are the second leading cause of breach incidents
“We see no compelling evidence of ‘best-practices’ in application security,” Jeremiah Grossman, founder of WhiteHat Security said. “We instead observed that certain software security activities improve specific metrics, such as the number of vulnerabilities, time-to-fix, and remediation rates, more than other activities. The best approach is for organizations to identify specific security metrics they'd like to improve upon, and then strategically select activities most likely to make a positive impact.”
Overall, data for 2015 turned out to be far more serious than anticipated. Of all websites tested by WhiteHat Sentinel, 86% had at least one serious vulnerability where an attacker could take control over all, or some part, of the website, and 56% of the time the site had far more than one vulnerability. On average, 61% of these vulnerabilities were resolved, but doing so required an average of 193 days from the first customer notification.
Insufficient transport layer protection was the most likely vulnerability across vertical industries including retail trade, healthcare/social assistance, information technology and financial/insurance, with a range of 65-76% likelihood. Insufficient transport layer protection was a security flaw caused by applications not taking measures to shield network traffic.
“From our research, what matters between the spectrum of those who are always vulnerable and rarely vulnerable is less about the programming languages, industry vertical, size of the organization, and so on,” Grossman said. “What seems to matter more than anything else is organizations having a strong internal driver, and a culture of accountability for fixing identified vulnerabilities in a specific timeframe. The executive level mandate creates an environment for the development groups to create effective remediation processes.”
Researchers found that the best way to lower the average number of vulnerabilities, speed up time-to-fix and increase remediation rates is to feed vulnerability results back to development through established bug tracking or mitigation channels. This approach makes application security front-and-center in a development group’s daily work activity and creates an effective process to solve problems.
Compliance-driven organizations that seek to remediate vulnerabilities had the lowest average number of vulnerabilities (12 per website) and the highest remediation rate (86%). Those that had made the vulnerability feed-to-development process connection exhibited roughly 40% fewer vulnerabilities.
“We realize that using compliance as a driver to remediate vulnerabilities is a double-edged sword, but the data demonstrates that those companies have the best statistics in terms of securing their organization’s sites,” Grossman said. “This year’s report has shown that the amount of time companies are vulnerable to web attacks is much too long. Increasing the rate at which these vulnerabilities are remediated is the only way to protect users."