NEW
YORK, Aug. 1, 2024 /PRNewswire/ -- The 2024
BreachLock Pentesting Intelligence Report is out - and there are
many new insights that may surprise you. The report analyzed threat
intelligence from over 4,000 penetration tests and vulnerability
assessments conducted over the past 12 months. Findings were
presented across affected assets, associated vulnerability types,
prevalence, severity, and the most impacted industries around the
globe.
"Today more than ever, CISOs are facing increasing cyber
security challenges. They are facing new and more stringent
regulatory guidelines, SEC reporting rules, and an expanding
landscape that seeks to hold enterprises more accountable. It
leaves CISOs and practitioners unsure of what lies ahead," states
Seemant Sehgal, Founder & CEO of BreachLock. "Security teams
are under more scrutiny to reassess risk and quantify the potential
financial impact. They need to provide business-oriented programs
that drive ROI and reduce risk, and BreachLock aims to provide the
offensive security solutions to help enterprises do just this."
This year's report includes MITRE ATT&CK adversary tactics
and techniques, as well as OWASP Top 10 to see how the report's
findings stack up against real-world observations. Here are some of
the report's top findings:
Industry Findings
The report comprises a healthy
representation across enterprise size with small enterprises, or
those with less than 50 employees, representing 40% of the report
analysis, followed by 35% mid-enterprise (51 to 100 employees) and
25% of large enterprises, or those with 1001 to over 10,000
employees. These enterprises were located across North America, the UK, Europe, and Pan-Asian countries.
It has been a tough year so far in 2024 for the Computer
Software & Technology industry, which has been besieged by an
escalation in cyber incidents targeting technology infrastructure.
Of the Top 5 industries with the highest number of findings, 48% of
these were found in the technology sector.
As researchers began to dig deeper into the data, some
surprising industry insights were uncovered. The Banking and
Financial Services Institutions (FSI) sector saw a 71.43% increase
in Critical and High severities in 2024 in comparison to 2023. This
included such vulnerabilities as security misconfiguration,
cryptographic failures, and broken access controls, all aligning
with OWASP TOP 10.
Healthcare also saw a significant rise in Critical and High
severities, revealing an 85.71% increase versus 2023, according to
reporting findings. In May 2024,
there were 51 data breaches in the U.S. related to healthcare, most
notably the United Health-owned Change Healthcare attack resulting
in a $220 million paid ransom to a
Russian cybercrime group.
Professional Services was a newcomer to the 2024 report. This
sector includes such organizations as consumer services, human
resources, law practices, legal services, and staffing and
recruitment. Due to the sensitive data handled by these types of
organizations, in addition to the complexity of attacks and growing
regulatory demands, it is not surprising to see this sector in the
Top 5 most impacted industries.
Findings Across Assets
Of the 4,000 pentests analyzed for the report, assets included
are web applications (49%), external network (17%), internal
network (15%), APIs (9%), Cloud (7%), and Mobile apps for both
Android and iOS (3%).
The Top 5 most identified vulnerabilities by OWASP aligned with
BreachLock's top 5 findings as follows:
- A05:2021 – Security Misconfigurations
- A02:2021 – Cryptographic Failures
- A01:2021 – Broken Access Control
- A04:2021 – Insecure Design Injection
- A06:2021 – Vulnerable and Outdated Components
These Top 5 categories, aggregated together, represent 88% of
the findings and security weaknesses in the report's full data
set.
In addition, MITRE ATT&CK is another framework BreachLock
uses and is also represented in the 2024 report findings. Aligning
with MITRE ATT&CK techniques ensures that identified
vulnerabilities correspond to real-world attack techniques,
validating the relevance and severity of our threat
findings. By identifying vulnerabilities associated with the
most common and impactful attack techniques, organizations can
prioritize their remediation efforts to address the most critical
and probable threats first.
In addition, we saw Critical to High severity findings increase
across almost every asset but here are a few of the most
significant discoveries:
- Web Applications: Critical severities are up 150% and
High findings increased 60% in 2024 vs. 2023.
- Network Infrastructure: Collectively, overall risk
severities for both internal and external networks represented 32%
of the complete data set with both Critical and High severities
increasing 100% and 200%, respectively in 2024 from the previous
year.
- APIs: Representing almost 10% of the overall risk of all
assets tested, the risk distribution shows a 400% increase in
Critical severities and a staggering 700% increase in High vs.
2023.
Lastly, the BreachLock Pentesting Intelligence Report outlined
some of the new and recent changes to cybersecurity regulations in
2024. Arguably the most impactful change has been the Securities
and Exchange Commission (SEC) Disclosure Rules Act. Enacted in
July 2023, it was in 2024 that we
really began to see the effect that these rules had on major
domestic and global companies that experienced significant breaches
that were immediately disclosed to the SEC and made public.
In closing, the annual BreachLock Penetration Testing
Intelligence Reports have become important to help enterprises and
their security teams keep a pulse on the most prevalent
vulnerabilities and potential changes to the threat
landscape. It also helps us as a security provider to
better understand what is keeping our customers up at night, and to
continue to develop innovative solutions to align with their needs
and growing attack surface.
For more information, download the 2024 BreachLock Pentesting
Intelligence Report or contact us to learn more.
About BreachLock
BreachLock is a global leader in Attack Surface Discovery
and Penetration Testing. Continuously discover, prioritize, and
mitigate exposures with evidence-backed Attack Surface Management,
Penetration Testing, and Red Teaming.
Elevate your defense strategy with an attacker's view that goes
beyond common vulnerabilities and exposures. Each risk we uncover
is backed by validated evidence. We test your entire attack
surface and help you mitigate your next cyber breach before it
occurs.
Know your risk. Contact BreachLock today!
Media Contact:
Megan Charrois
Senior Marketing Executive
Megan.c@breachlock.com
BreachLock.com
View original content to download
multimedia:https://www.prnewswire.com/news-releases/critical-risk-severities-across-assets-and-industries-are-on-the-rise-according-to-new-2024-breachlock-pentesting-intelligence-report-302212396.html
SOURCE BreachLock