Edgescan inclusion in the Verizon DBiR

By -















For the third year running Edgescan contributed to the Verizon DBiR. The DBiR is recognized as the defacto cyber report which casts a wide net across all types of cyber security and breaches, this includes vulnerability management in both infrastructure and applications.

 Edgescan vulnerability data is curated and validated, sanitized and reflects tens of thousands of assessments we deliver globally across the full stack to our clients.

 As stated by Gabriel Basset of Verizon "I think there’s a positive story around how vulnerability scanning, patching, and filtering are preventing exploiting vulns from being the easiest way to cause a breach but that asset management is needed to identify and patch unpatched systems..."

 A few things that stand out to me in the report are as follows:
Nearly half of breaches involved Hacking and 70% of breaches were external threat actors. To me this makes sense as in our experience most large enterprises have at lease one critical vulnerability living in their estate and the majority of risk (as per our research) is in the web layer/Layer 7 - Web sites, Applications and API's.
Of a 977 breach sample-space the majority of threat actors were associated with organized crime. These folks are professional, determined hackers. Its how they make their living. They don't care where the vulnerability resides in the stack. An automated approach to vulnerability management alone wont ensure your defense.
Using software/tools alone to defend against experienced humans wont result in robust security. 

This is the case in particular when the people we are trying to defend against actors who are very skilled and determined, professional blackhat folks, if you will.

Human Error was cited to be a significant contribution to system insecurity and breach in the 2020 DBiR report.

Misconfiguration taking the prize for main contributor; "They are now equally as common as Social breaches and more common than Malware, and are truly ubiquitous across all industries." according to the report authors.

What we see in Edgescan is pretty much aligned with this metric. Misconfigurations are a common vulnerability and not going away anytime soon. Insecure deployments, misconfigured frameworks, directory listing, data exposure via errors all cousins and steadily increasing over the past number of years.

 The concept of continuous assessment, profiling and validation is key to detecting such issues. Generally they are not difficult to detect or fix but if we don't know about them we're leaving the door open for someone else to use.

Comments

Post a Comment

Popular posts from this blog

Edgescan, why we do what we do.....

By -
Image
  The cyber security industry is full of solutions to make you more secure. Some are unproven and other approaches work if deployed properly. Our industry is very fragmented. for example a recent "Cyber Defense" award I noticed has 195 categories!  I suppose we need to ask ourselves as companies from time to time why we do what we do?  So, the following post is, I guess, the reason we developed Edgescan and why we believe its a decent solution to help organizations improve and be more resilient in relation to cyber security and system protection.... Vulnerability scanning alone did not work. The idea of software testing software for vulnerabilities is a good one but both sides of the equation may have bugs. Bugs in one side (The target) may result in vulnerabilities, whilst bugs on the other side (Scanner) may result in false negatives and false positives.  Accuracy : To that end we built edgescan as a combination of automation to discover vulnerabilities at scale but  when c
Read more

20 years of Vulnerability Managment - Why we've failed and continue to do so.

By -
Image
Cyber Security: Keeping Pace with Change. Getting breached can really ruin your day. Actually it normally happens on a friday evening as you are about chill for the weekend. The cause of must breaches is not rocket science, its more to do with the poor approach we have accepted because we underestimate the threat actor.  - An attacker does not scan your website/network once a quarter with a commercial or open source scanner or perform an annual penetration test against your systems to see if there is any low hanging fruit, so how do we expect to defend against such an advisory using that approach? Systems change now more frequently than ever due to the ease of cloud deployments and the speed of software deployments due to iterative development techniques. The rate of change increase results in exposures quickly manifesting and the organisation not even being aware of the exposure in the first place. Many organisations dont know what they have exposed on the public Internet. We need t
Read more
By -
Image
The HSE Data Breach and the State of Irish Cyber Security Many years ago, shortly after I founded the Irish chapter of OWASP ( http://www.owasp.org ) (in 2007??) we were delivering free application and software development classes to anyone who wanted them. It was a local low key affair but every class we delivered was "sold out". We have 60-80 folks mostly developers willing to spend 4-5 hours on learning the fundamentals of secure application development and testing. I suppose we felt cyber security was an important issue because that's what we did. At the time many folks in business felt cyber security was an overhead or a "tax" and did not give it much time. A few years later (late 2010) when the the foundation of the NCSC (National Cyber Security Centre) was announced, a few of us (local OWASP Ireland leaders) wrote a number of emails to the Irish government offering free cyber security training. As we were working for a non profit (501.3c) charity (OWA
Read more