High-Tech Bridge's Web Security Trends for First Half of 2016

By Peter Bernstein
Senior Editor

Here at the Cyber Security Trend Community we like to keep community members as knowledgeable as possible.  Insights and recommendation from respected solutions providers have proven extremely useful in terms of the types of additional education and certifications community members may wish to consider. This week, one of the sources I have come to rely on, the web security solutions specialists at High-Tech Bridge, in front of the Infosecurity Europe 2016 event, have released a comprehensive overview of trends across all major fields of web security.  It paints a rather bleak picture for challenges faced by IT security professionals during the first half of 2016.

It is an interesting snap shot in time as well as a pointer on things readers should check on in terms of your organization’s preparedness.  They include: 

Web Application Vulnerabilities

• Over 60 percent of web services or APIs designed for mobile applications contain at least one high-risk vulnerability allowing database compromise.
• If a website is vulnerable to XSS, in 35 percent of cases, it is also vulnerable to more critical vulnerabilities, such as SQL injection, XXE or improper access control.
• High risk vulnerabilities, such as SQL injections, are now being used for RansomWeb attacks five times more frequently than in 2015, extorting money from website owners.
• Blind XSS exploited in the wild, are being actively used by cybercriminals to infect privileged website users (e.g. support or admins) with Ransomware via drive-by-download attacks.
• Web attacks are becoming more sophisticated than ever, using chained vulnerabilities (e.g. XSS for privilege escalation, then improper access control and race condition to upload web shell).

HTTPS Encryption

• 23 percent of websites are still using deprecated SSLv3 protocol (top five countries: US, Germany, UK, France, and Russia).
• 97 percent of websites are still using insecure TLS 1.0 protocol, restricted by PCI (News - Alert) DSS from June 2018 (top five countries: US, Russia, Germany, UK, and Netherlands).
• 23 percent of websites are still vulnerable to POODLE, however only 0.43 percent are vulnerable to Heartbleed.
• Only 24.3 percent of websites have SSL/TLS configuration fully compliant with PCI DSS requirements, and as low as 1.38 percent are fully compliant with NIST guidelines.

 Web Server Security

• Less than 1 percent of web servers have enabled and correctly configured Content Security Policy (CSP)HTTP header, aimed to prevent XSS and other malicious content injection attacks.
• 9 percent of web servers have incorrect, missing, or insecure HTTP headersputting web application and its users at risk of being compromised.
• Only 27.8 percent of web servers are fully up2date and contain all available security and stability patches.

Web Application Firewalls

• Web applications protected with a WAF, contain 20 percent more vulnerabilities on average than unprotected ones.
• Over 60 percent of web vulnerabilities have advanced exploitation vectors allowing hackers to bypass WAF configuration and compromise the web application.
• Many customers abandon WAF integration with automated scanning tools due to a high rate of false-positives.

Cybersquatting, Typosquatting and Phishing

• Domains in .com and .org TLDs remain the most common among fraudulent domains (typosquatted, cybersquatted, or used for phishing and drive-by-download attacks).
• US, Poland and Singapore figure among the most popular countries to host fraudulent and malicious websites.
• Despite the growing fear about the new gTLDs (such as .xxx or .pizza), fraudulent domains in these domain zones represent only 0.22 percent of all malicious domains.

 Ilia Kolochenko, CEO and founder of High-Tech Bridge, commented:

 “The easiest and fastest to hack, insecure web applications are becoming the major threat across the Internet. Aggravated by weak web server configuration and unreliable SSL/TLS encryption, vulnerable web applications are actively exploited by cybercriminals to conduct APTs against multinationals and governments, as well as to extort ransom from individuals or SMBs.

In the near future, we can expect a significant and continuous growth of RansomWeb attacks against website owners, and Ransomware attacks against website visitors. Actually, ransomware is not a technical problem, but a business model problem: while it will remain the easiest way to extort money, it will continue skyrocketing.

Web Application Firewalls don’t work in isolation from other security technologies anymore. Web application security requires a comprehensive approach, including Secure Software Development Lifecycle (S-SDLC), continuous monitoring, and regular manual or hybrid web security testing to complement automated vulnerability scanning.”

You might wish to check out a set of free security services  available from High-Tech Bridge:  SSL/TLS Security Test, Web Server Security Test and Domain Security Radar.  The results may surprise you whether they are good or bad. They certainly have given our IT people something to think about.