< Back to Blog
The Top 5 Third-Party Cyber Gaps of 2018
Research

The Top 5 Third-Party Cyber Gaps of 2018

By Giora Omer Dec 19, 20183 min read

As the end of the year approaches, we at Panorays wanted to share what we found to be the top five vendor security cyber gaps in 2018.

The Fab Five

Panorays has the unique ability to evaluate the cyber posture of a large number of third parties from numerous industries over long periods of time. In our evaluation of over 2,000 suppliers, we extracted the findings that appeared in a large percentage of the companies and omitted obvious low-risk findings that recur in all companies (e.g. HTTP headers). We focused on the top five cyber gaps that may have a real effect on the resilience of the vendors, and thus the organizations themselves.

And now for the list!

Top five cyber gaps

5. Open port with high risk service

Despite the frequent news of breaches originating from publicly accessible databases (Mongo, Elastic), we identified 13% of the vendors as having high-risk services open to the world. Not surprisingly, the “Computer Software” industry leads the pack with 19%. This can be attributed to the heavy adoption of new technologies and a growth-over-security mindset.

Open port with high risk service

4. Not using HTTPS for significant web assets

You don’t see many critical sites that still allow unencrypted HTTP traffic, but apparently there are still sites that don’t support HTTPS at all. In fact, 13% of the vendors had significant web assets; for example, sites with login forms, with no possibility for HTTPS. The insurance industry has a much higher percentage of 26%. This could be because these companies maintain older assets that haven’t been brought up-to-date with security standards.

Not using HTTPS for significant web assets

3. Significant web assets not protected by Web Application Firewall

Websites and apps are targeted by a wide range of attacks—from scraping and DDoS to injections and cross-site scripting. Web Application Firewalls (WAF) have become a must-have for basic protection. The high price, complexity and intrusiveness of WAF can explain why 32% of vendors choose to try their luck without it.

web assets not protected by Web Application Firewall

2. Untrusted certificate for significant web assets

Companies leave around assets with untrusted certificates like socks on the living room floor. These could be self-signed, expired or invalid certificates. The fact is they are not performing their authentication duties. Over 80% of vendors have assets with untrusted certificates, meaning they don’t see this as a high priority issue—probably because these are unused or unofficial assets. However, often these are the entry points hackers are looking for: unmonitored and unpatched servers inside the organizational network.

Untrusted certificate for significant web assets

1. Unpatched technology with known high severity vulnerabilities

We finally reached the most common cyber gap in third parties for 2018: unpatched technologies. Not only are these products outdated, but their used versions have known vulnerabilities and exploits available for all.

On the other hand, anyone who had to manage patching in a production environment can understand why 92% of the companies are affected by technologies with known high severity vulnerabilities.

This is also an opportunity to give a negative shout-out to the telecommunications industry, which performed below average in all five cyber gaps. Let’s hope they do better next year.

Conclusion

While these are the most common cyber gaps we discovered, many more exist. Improving third parties’ cyber posture requires identifying attack surfaces, continuous monitoring and staying updated about industry best practices. An effective third-party management solution that implements these processes can make all the difference.

We look forward to a more secure 2019!

humbnail
Giora Omer

Chief Architect and winner of the annual office basketball competition at Panorays. He has over 20 years experience in software, platform and security engineering (with a short hiatus for a degree in film).

You may also like...
Touchdown! Measuring External Cyber Posture and the NFL Hack
Jan 30, 2020 Touchdown! Measuring External Cyber Posture and the NFL Hack Giora Omer
DishSnitch: The Who Left Dirty Dishes in the Sink” Detector”
Dec 19, 2019 DishSnitch: The Who Left Dirty Dishes in the Sink” Detector” Giora Omer
Tips for Your Vendor Security: Closing the Most Common Cyber Gaps
Oct 31, 2019 Tips for Your Vendor Security: Closing the Most Common Cyber… Giora Omer
Get our latest posts straight to your inbox Subscribe

We use cookies to ensure you get the best experience on our website. Visit our Privacy Policy for more information.