28 July, 2022
Top Cybersecurity Statistics for 2022
Threats and attack vectors in cyberspace have continued to evolve and become more sophisticated than ever. If you look at cybersecurity statistics in the last couple of decades, you will find that the number of cyber-attacks has increased, and so is the extent of their damage. For instance, IBM’s Cost of a Data Breach Report 2021 found that the global average data breach cost is $4.24 million. This average cost has increased by over 10.61% from $3.79 million in 2015. With an increasing number of users and devices connected to the internet, the potential attack surface area will continue to widen.
These days, organizations invest substantially in implementing security controls and fulfilling compliance obligations. More and more investments are going towards detection capabilities as opposed to building security foundation and testing the effectiveness of existing security controls. According to Seemant Sehgal, CEO & Founder at BreachLock,
“Offensive security checks are often deployed as an afterthought or entirely forgotten. CISOs often find it difficult to answer if they are secure.”
Frequent penetration tests that are technology-backed, fast, comprehensive, and easily scalable must become the industry norm to overcome this. In 2021, BreachLock realized that intelligence derived from our penetration testing exercises, delivered via SaaS platform can be a valuable resource for the entire cybersecurity community, help organizations in benchmarking their performance and up their game against cyberattacks. BreachLock’s penetration testing approach (PTaaS) leverages automation and artificial intelligence (A.I.) to build a scalable pentesting experience. With an analysis of over 8000 security tests in 2021, BreachLock has recently published its maiden Annual Penetration Testing Intelligence Report, 2022. In the following sections, we look at the key findings of this report.
1. Web Applications
Web applications have become an integral part of how businesses operate. Our analysis found that critical and high-risk findings accounted for less than 5% of overall findings. However, medium-risk findings accounted for 35% of overall findings. This shows that the number of medium-risk findings per application is considerably higher than high and critical findings. It is alarming that cross-site scripting (XSS) findings account for half of the high-risk findings. The analysis also notes that the average number of days taken for remediation of critical findings is 46 days, while the same for high-risk findings is 80 days.
The number of unique critical findings in external infrastructure is less than in internal infrastructure. This indicates that organizations focus heavily on vulnerabilities in their external infrastructure because of the notion that threats come from external-facing systems. In external infrastructure, the percentage of critical and high-risk findings is 0.07% and 0.32%, respectively. Medium-risk findings accounted for 34.11%, while low-risk findings comprised 65.60% of overall findings.
A similar trend was observed in internal infrastructure, where low and medium-risk findings contributed 97.8% of total findings. Critical and high-risk findings were 0.29% and 1.90%, respectively.
We have observed that the remediation of a high-risk vulnerability takes around 80 to 104 days on average. Moreover, about 70% of organizations do not have detection and response capabilities.
3. Mobile Applications
Mobile applications have gained increasing acceptance by organizations. Organizations rely on Android and iOS apps to deliver a targeted experience for their audience. For Android apps, critical and high-risk findings accounted for 7.34% of overall findings. For iOS apps, the same number stands at 4.81%. It is pertinent to note here that less than 15% of organizations that we worked with opted for mobile app pentesting services. Hard-coded credentials, insecure direct object reference, misconfigured launch mode attribute, insecure data storage, and XML injection are some of the most common vulnerabilities in mobile apps.
Application Programming Interfaces (APIs) offer a seamless experience for users and businesses by connecting one application with another. While APIs become popular, breaches continue to occur due to existing vulnerabilities in APIs. Low-risk findings in APIs contributed to 76.37% of overall findings, while medium-risk findings accounted for 22.70%. Only 0.93% of overall findings were high-risk findings.
48% of high-risk findings in APIs are related to missing function-level access control. This vulnerability allows users to perform actions they are not authorized for, according to their access level. This directly poses a challenge to the integrity of applications and data, allowing attackers to find and escalate privileges to launch other attacks.
Cybersecurity is a shared responsibility. It is not just about your business and our business. All the stakeholders must unite to make cyberspace a better place to do business. As threats continue to evolve, organizations must understand the bigger picture. Through the First Annual Report on pentesting intelligence, we hope to provide visibility into this big picture. As we continue to help businesses conduct scalable penetration tests, we are committed to helping you find and fix the next cyber breach.
The detailed report covers insights according to organizational size and industry. To download our Annual Penetration Testing Intelligence Report 2022, click here.