--- Please Select --- Afghanistan Albania Algeria American Samoa Andorra Angola Antigua and Barbuda Argentina Armenia Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bosnia and Herzegovina Botswana Brazil Brunei Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Colombia Comoros Congo, Democratic Republic of the Congo, Republic of the Costa Rica Côte d'Ivoire Croatia Cuba Curaçao Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic East Timor Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Faroe Islands Fiji Finland France French Polynesia Gabon Gambia Georgia Germany Ghana Greece Greenland Grenada Guam Guatemala Guinea Guinea-Bissau Guyana Haiti Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Israel Italy Jamaica Japan Jordan Kazakhstan Kenya Kiribati North Korea South Korea Kosovo Kuwait Kyrgyzstan Laos Latvia Lebanon Lesotho Liberia Libya Liechtenstein Lithuania Luxembourg Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Mauritania Mauritius Mexico Micronesia Moldova Monaco Mongolia Montenegro Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands New Zealand Nicaragua Niger Nigeria North Macedonia Northern Mariana Islands Norway Oman Pakistan Palau Palestine, State of Panama Papua New Guinea Paraguay Peru Philippines Poland Portugal Puerto Rico Qatar Romania Russia Rwanda Saint Kitts and Nevis Saint Lucia Saint Vincent and the Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Sint Maarten Slovakia Slovenia Solomon Islands Somalia South Africa Spain Sri Lanka Sudan Sudan, South Suriname Swaziland Sweden Switzerland Syria Taiwan Tajikistan Tanzania Thailand Togo Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Tuvalu Uganda Ukraine United Arab Emirates United Kingdom United States Uruguay Uzbekistan Vanuatu Vatican City Venezuela Vietnam Virgin Islands, British Virgin Islands, U.S. Yemen Zambia Zimbabwe

Adam Bannister was Editor of IFSEC Global from 2014 through to November 2019. Adam is also a former Managing Editor at Dynamis Online Media Group.

"THE ACHILLES’ HEEL OF MODERN COMPANIES"

WATCH: 98% of FT 500 companies fall short on web app firewalls

The shadow, legacy and abandoned IT assets of the world’s biggest organisations pose a serious security risk, research by cybersecurity firm High-Tech Bridge has revealed.

The Geneva-based company examined the external web and mobile applications of FT 500 organisations in Europe and the US.

We’ve outlined some key findings of the research – also set out in a blog post on the High-Tech Bridge website – in a short video below.

When it comes to grasping where vulnerabilities lie in the sprawling, diverse infrastructure of blue-chip organisations, a famous quote from Donald Rumsfeld, then US Secretary of Defense, is instructive: “There are known knowns [which are] things we know we know [and] known unknowns [which are] things we do not know. But there are also unknown unknowns — the ones we don’t know we don’t know […] the latter category [tends] to be the difficult ones.”

Shadow, legacy and abandoned IT assets can usually be characterised as ‘known unknowns’ or ‘unknown unknowns’. But Gartner says that 99% of vulnerabilities exploited by the end of 2020 will be known to security and IT professionals at the time of the incident.

Shadow IT assets are defined by High-Tech Bridge as built without proper coordination with the organisation’s central management and IT/security personnel. An example might be acloud-based file-sharing service with current deals and contracts, used by sales teams.

Legacy IT assets are long-established systems whose maintenance has become neglected, usually because of complexity, human factors or lack of resource. Sometimes engineers leave the company without transferring code and relevant knowledge. An example might be a module in a core e-banking system containing client data.

Abandoned IT assets have been forgotten, abandoned or lost. An example might be a pre-production test version of an ERP system with real customers’ data.

Among the insights revealed by the research:

92% of external web applications have exploitable security flaws or weaknesses

Every single company studied has some non-compliance issues around GDPR

19% have unprotected external cloud storage

45.1% of US systems and 28.9% of EU systems have invalid SSL certificates because of untrusted Certificate Authority (CA), expiration or issuance for a different domain name

221 US companies have 1,232 vulnerability submissions on Open Bug Bounty, 38% of which are not patched. Some 162 EU companies have 625 reports with 415 patch vulnerabilities, with 34% still unpatched

“The research has clearly demonstrated that abandoned and unmaintained applications are a plague of today,” said Ilia Kolochenko, CEO and founder, High-Tech Bridge. “Large organisations have so many intertwined websites, web services and mobile apps that they often forget about a considerable part of them. Legacy applications, personnel turnover, lack of resources, outsourcing and offshoring exacerbate the situation.

“On the other side, cybercriminals are well organised and very proactive. As soon as a new vulnerability is discovered in a popular CMS – they instantly start its exploitation in the wild, leaving cybersecurity teams virtually with no chance. Some hacking teams and cybercrime gangs will even patch your web application just after the breach – to preclude others from getting in. Therefore, if you don’t patch your web applications – bad guys will do this for you.”

“While web applications remain the Achilles’ heel of modern companies and organisations, lawmakers frequently make their lives even more complicated. For example, with GDPR, many organisations had to temporarily give up their practical cybersecurity and concentrate all their efforts on paper-based compliance. New cybersecurity regulations may do more harm than benefit for the society if improperly imposed, enforced or implemented.”

High-Tech Bridge recently launched an AI-based version of ImmuniWeb Discovery, which helps companies discover their external applications and assess and prioritise risks and threats.

WATCH: The Challenges of Secure IoT This unmissable free webinar will help you understand the risks, opportunities and regulations for IoT and cyber security, so you can get on top of this fast-evolving sector of the industry. Watch this exclusive IFSEC Digital Week on-demand webinar today, and hear from Virtually Informed's Sarb Sembhi, Unified Security's James Willison and Derwent London's Nick Morgan. Watch the webinar today

WATCH: 98% of FT 500 companies fall short on web app firewalls The shadow, legacy and abandoned IT assets of the world’s biggest organisations pose a serious security risk, research by cybersecurity firm High-Tech Bridge has revealed. We’ve outlined some key findings in a short video. Adam Bannister IFSEC Global | Security and Fire News and Resources

Related Topics