The vast majority of internet-exposed web apps containing personal identifiable information (PII) are vulnerable to a cyberattack, according to a fresh analysis of 3.5 million business assets.
PII is used by hackers as fodder for financial, credential and phishing-related attacks. According security firm CyCognito, 74% of the web apps it examined contain PII vulnerable to at least one known major exploits such as Apache Superset, Papercut and MOVEit. The report found 11% of those vulnerable assets included multiple and "easily exploitable" issues that range from misconfiguration, an absence of secure HTTPS encryption and no use of a web application firewall (WAF).
The report (registration required), found that the typical enterprise has more than 12,000 web apps and at least 30% of the apps — more than 3,000 assets — have at least one exploitable or high-risk vulnerability. In addition, 70% of web applications have severe security gaps, like lacking web application firewall (WAF) protection or an encrypted connection like HTTPS, while 25% of all web apps lacked both.
CyCognito also found that 50% of these potentially vulnerable web apps are hosted in the cloud. And 98% of web apps are potentially GDPR non-compliant because of the lack of opportunity for users to opt out of cookies.
A related 2023 examination of publicly exposed application programming interfaces (API) by the SANS Institute and Akamai reported that 2022 was a record-breaking year for application and API attacks.
Rob Gurzeev, co-founder and CEO at CyCognito, pointed out that the recent MOVEit exploit involving ransomware being loaded via the popular file transfer software is a cautionary tale for all CISOs that attackers remain many steps ahead of web applications and cloud security.
“The size of a company’s attack surface fluctuates up and down by as much as 10 percent a month, making it a moving target rife with security gaps ready to be exploited,” said Gurzeev. “Our latest research is not only a wake-up call that no business is immune to risk; it’s also clear proof that unknown and undiscovered assets present a major threat to an organization.”
Most security teams are likely aware of the risks associated with PII and the potential vulnerabilities that can expose this information, said Callie Guenther, cyber threat research senior manager at Critical Start. Guenther said high-profile data breaches frequently make headlines, so the risks associated with PII exposure are well-publicized. However, the specific data points mentioned in the report might come as a surprise, even to seasoned security professionals.
“The high 74% percentage of assets with exposed PII susceptible to known major exploits emphasizes that the problem is widespread and persistent, regardless of awareness,” said Guenther. “The statistics mentioned underscore a clear point: PII remains highly vulnerable. If 74% of assets with PII are exposed to at least one known major exploit, and 10% have an easily exploitable issue, it paints a concerning picture of the current state of external exposure management.”
George McGregor, vice president at Approov, added that one obvious piece of advice to enterprises not in the report is to be very aggressive about identifying and removing underused apps, especially those accessing sensitive data and systems. The other observation on this report is it is uniquely focused on web apps when there has been a massive shift in the last few years to mobile apps for both consumer and enterprise use cases, said McGregor.
“This may simply reflect the focus of the sponsoring company, but it’s crucial that enterprises also focus on mobile app security, as the attack surfaces presented by mobile apps are very different and ‘classic’ web app approaches such as WAFs, encrypted traffic, and CAPTCHA are ineffective.”
