Misconfiguration of accounts stand for 82% of Security Vulnerabilities

Organisations in the UK and Netherlands are more exposed to high-risk vulnerabilities than any others in Europe, with misconfiguration a major challenge, according to new data from Outpost24.

The security provider analysed vulnerability data collected from over two million assets across 10 markets, over a 12-month period to November 2019. It looked at various parameters across this data including OWASP Top 10 and CWE weakness information.

It found that in the Netherlands, 50% of the vulnerabilities discovered were classified as high-risk, versus 43% in the UK. These were significantly higher than most other countries, aside from Brazil (47%).

Japan had the lowest number of high-risk vulnerabilities at less than 10%.

Unfortunately, organisations are giving attackers a helping hand by failing to mitigate these risks swiftly. The average time to patch is 105 days, while the average time for a bug to be identified and exploited has dropped to just 15 days.

“This leaves a window of almost three months for hackers to exploit vulnerabilities when they are left unpatched,” warned vulnerability research manager, Srinivasan Jayaraman.

According to the research, a whopping 82% of vulnerabilities analysed were due to misconfiguration in areas like firewalls and passwords; categorized as CWE-16.

“CWE-16 weaknesses can be introduced due to weak/default passwords, deprecated protocols, open public database instance or if the file system is exposed and not encrypted,” explained Jayaraman.

“This highlights the importance of having fundamental security configurations in place to cover your networks, applications and cloud. If this is ignored by security teams you leave yourself open to hackers and its critical to prioritise checking for misconfiguration and implementing continuous monitoring.”

In addition, misconfiguration was reported in 86% of web applications assessed in the report against the OWASP Top 10.