Third-party services to blame for some data exposure incidents, survey warns
A report has detailed how the majority of the world’s top cybersecurity companies have had their data exposed on the dark web.
The survey, from application security firm ImmuniWeb, took a sample of nearly 400 of the largest cybersecurity companies from 26 countries across the globe, with the majority based in the US and Europe.
The company, which uses AI to detect security issues, then used its own systems to discover and classify dark web data leaks related to those security organizations.
It found that 97% had leaked data available on the dark web. In addition, 25% of incidents were classified as a ‘high’ or ‘critical’ risk level – meaning personally identifiable information had been exposed.
Further data identified that 29% of leaked passwords belonging to the security companies were weak, and that employees from 40% of the organizations had reused credentials across different online services.
ImmuniWeb also wrote that 91 of the companies studied had a security vulnerability present on their websites – 26% of which are yet to be fixed.
Machine learning model
The companies were chosen based on lists from independent sources including OWASP and RSA conference attendees. Smaller security organizations whose websites were outside of the Alexa top 500,000 were removed from the study.
The leaked data was discovered using ImmuniWeb’s machine learning model, and while the company took steps to verify the findings, it cannot be certain that datasets are 100% legitimate without testing them.
Ilia Kolochenko, ImmuniWeb CEO, told The Daily Swig: “For some incidents, there is no technical way to be 100% certain that the incident is real unless you have the full data in your possession and try to exploit the data – an act that may be criminally punishable in many jurisdictions.
“For example, one would need to try to login to an employee’s email with his or her [leaked] password or to try running an SQL injection on a production website to get 100% certainty.”
Despite these caveats, however, Kolochenko said there are a “myriad of interrelated indicators that can reliably validate almost 99% authenticity of an incident”.
These indicators include if the data related to a publicly announced breach, the dark web seller’s reputation, and whether the leak has been verified by an independent broker.
The report also addressed the security risks of employing third-party services.
A company cannot be certain that a third party has robust security practices in place which can become an issue, especially if the contractor is handling sensitive data.
While this issue could be mitigated by undertaking all services in-house, this is not always an option – especially for small to medium-sized enterprises.
The report reads: “A considerable number of the incidents stem from silently breached trusted third parties, such as suppliers or other subcontractors of the cybersecurity companies, mostly represented by stolen website databases and backups.
YOU MAY ALSO LIKE Blackbaud ransomware attack exposed donor data from two UK charities
“A large number of stolen credentials with plaintext passwords likewise come from incidents involving unrelated third parties including dating or even adult-oriented websites where victims were using their professional email addresses to sign in.”
Of the third-party breaches, almost 17,000 credentials were exposed due to incidents involving retail websites, 12,000 from gaming platforms, and just over 5,000 from dating sites.
Kolochenko advised companies to be diligent when outsourcing.
“Continuous security awareness training and actionable risk scoring of third parties will considerably minimize such risks,” he said.
“Oftentimes, security vendors [reasonably] consider themselves to be better prepared but forget about non-technical employees being susceptible to common mistakes.”
“Frequently, cybersecurity companies have no time or budget to manage their web presence and outsource it to web agencies or even to individuals.
“Unsurprisingly, these third parties are considerably less knowledgeable about all the intricacies of application security and may unwittingly install a vulnerable plugin, or forget to update their CMS during weeks, or even months.”