Research Exposes Cybersecurity Industry’s Vulnerabilities On The Dark Web | Information Security Buzz

by KeyDutch. Posted on Sep 14, 2020    0


Global application security company ImmuniWeb, has conducted research into the state of the global cybersecurity industry’s exposure on the Dark Web this year. Its findings uncovered that 97% of leading cybersecurity companies have data leaks or other security incidents exposed on the Dark Web, while on average there are over 4,000 stolen credentials and other sensitive data exposed per cybersecurity company.

Even the cybersecurity industry itself is not immune to these in ImmuniWeb’s research.

Key findings that the research found relating to the leading global cybersecurity companies’ exposure on the Dark Web included:

  • 97% of companies have data leaks and other security incidents exposed on the Dark Web.
  • 631,512 verified security incidents were found with over 25% (or 160,529) of those classed as a high or critical risk level+ containing highly sensitive information such as plaintext credentials or PII including financial or similar data. Hence, on average, there are 1,586 stolen credentials and other sensitive data exposed per cybersecurity company. Over 1 million unverified incidents (1,027,395) were also discovered during ImmuniWeb’s research and only 159,462 were estimated as low risk.
  • 29% of stolen passwords are weak, employees from 162 companies reuse their passwords – the research revealed that 29% of stolen passwords are weak, with less than eight characters or without uppercase letters, numbers or other special characters, and that employees from 162 companies (around 40%) reuse identical passwords on different breached This boosts the risk of password re-use attacks by cybercriminals.
  • Professional emails were used on porn and adult dating sites – third-party breaches represented a considerable number of the incidents, as ImmuniWeb’s research found 5,121 credentials that had been stolen from hacked porn or adult dating websites.
  • 63% of websites of the cybersecurity companies do not comply with PCI DSS requirements – which means that they use vulnerable or outdated software (including JS libraries and frameworks), or have no Web Application Firewall (WAF) in blocking mode.

48% of websites of the cybersecurity companies do not comply with GDPR requirements – because of vulnerable software, the absence of a conspicuously visible privacy policy or a missing cookie disclaimer when cookies contain PII or traceable identifiers.

  • 91 companies had exploitable website security vulnerabilities, 26% of which are still unpatched – this finding came from ImmuniWeb referring to openly available data on the Open Bug BountyprojectOpen

The research was run using ImmuniWeb’s free online Domain Security Test, which combines proprietary OSINT technology enhanced with Machine Learning, to discover and classify Dark Web exposure.

ImmuniWeb tested 398 leading cybersecurity companies headquartered in 26 countries, mostly the US and Europe. Cybersecurity companies in the US suffered the most high and critical risk incidents, followed by the UK and Canada, then Ireland, Japan, Germany, Israel, the Czech Republic, Russia and Slovakia.