1 VULNERABILITY ASSESSMENT FEELING VULNERABLE? YOU SHOULD BE.
2 CONTENTS Feeling Vulnerable? You should be 3-4 Summary of Research 5 Did you remember to lock the door? 6 Filling the information vacuum 7 Quantifying the risks 8 Which countries are most vulnerable? 9 France: Highly secure, but least examined 10 Germany: Forewarned is forearmed 11 Sweden: Not so blissfully unaware 12 Bridging the vulnerability gap 13 References 14 p. 2
3 Feeling Vulnerable? You Should Be s security breach at Sony s PlayStation Network is thought to be the largest data security leakage ever and was so damaging its effects are still being felt today - in January 2013 the UK Information Commissioners Office (ICO) fined Sony Computer Entertainment Europe 250,000 ($396,100) following what was described as a serious breach of the Data Protection Act. The ICO s report concluded that the attack could have been prevented if Sony s security had been up-to-date. After an infection of 10 of its servers, over 75 million of Sony PlayStation Network s global customer account details were stolen. Questions were raised in parliaments worldwide, lawsuits were launched and user access to the online network was blocked for over a month. However this was not an isolated incident; in 2012, Symantec technology scanned over 1.5 million websites as part of its Website Malware Scanning and Vulnerability Assessment services. Well over 130,000 URLs were scanned for malware each day, with 1 in 532 of websites found to be infected with malware. Additionally in assessing potentially exploitable vulnerabilities on websites, over 1,400 vulnerability scans were performed each day. Approximately 53 per cent of websites scanned were found to have unpatched, potentially exploitable vulnerabilities of which 24 per cent were considered to be critical. Clearly vulnerabilities can be exploited resulting in significant and public security failing and resultant loss of trust, but according to recent Symantec research 1, similar vulnerabilities could exist inside your company, the problem is that most companies just don t know. Criminals are constantly looking for new vulnerabilities or weaknesses in websites and as the Sony example shows they often have high levels of success. Malware infections or exploited vulnerabilities could significantly impact the safety of customer information so that, before your business has time to react, your public-facing website could be infected and blacklisted by search engines, customer trust could be compromised whilst the clean-up in the aftermath of an attack could wreak havoc with your brand. With today s increasingly smart malware infections and consequent online data loss, your business must do more than simply react to website security issues. p. 3
4 Feeling Vulnerable? You Should Be. Symantec surveyed 200 IT professionals in all sizes of business across four European countries to find out how much they know about their exposure to threats and what they are doing to improve that knowledge. Nearly a quarter admit they don t know how secure their websites are, yet more than half of respondents admitted they have never carried out a website vulnerability assessment. While respondents generally ranked the likelihood of their websites suffering from specific vulnerabilities as low, Symantec s own experience is that more than 24% have critical vulnerabilities 2. Malware infection, one of the biggest emerging security threats, often comes as a direct result of website vulnerabilities. According to Symantec s most recent Website Security Threat Report 3, 403 million unique types of malware were discovered in 2011, making it clear that if a website has a vulnerability it will be exploited. Vulnerability assessments can fill the information vacuum not only pointing to where vulnerabilities exist but also to the corrective action that is required to fix them. In addition, assessment is not just a one-off; the survey shows that organisations confidence in their website security is higher among those who repeat assessments every month than those who haven t repeated scans. Not surprisingly, larger companies are more aware of the risks and more likely to conduct and regularly repeat vulnerability assessments. However, according to Symantec s 2013 Website Security Threat Report 4, it s a mistake to assume that only large companies are targeted by attacks; the report shows a significant number of smaller companies (31%) are being pursued. Larger companies will naturally gravitate towards more in-depth assessments, but smaller companies also clearly need to get a better picture of not only what their overall exposure is, but also what specific risks they face. There were 5,291 vulnerabilities reported in 2012 compared with 4,989 vulnerabilities reported in 2011 p. 4
5 summary of research 5 23% - don t know 2% - not secure 27% - reasonably secure 15% - totally secure Nearly a quarter of IT managers don t know how secure their website is 33% - very secure Those who conduct regular vulnerability assessments have much better visibility into their website security Every month 0% 30% 52% 14% 4% not at all 0% 36% 27% 14% 27% Not Secure Reasonably Secure Very Secure Totally Secure Don t Know p. 5
6 Did You Remember To Lock the Door? Website security has never been more important, yet companies across Northern Europe appear to have a huge gap in their understanding, and a critical exposure to possible security breaches. More than half have never conducted a vulnerability assessment on their website 53% 64% 56% UK FR SE DE 42% 16% 8% 22% 12% 16% 14% 10% 26% 15% 14% 12% 20% never In the last year In the last 6 months In the last month In our survey of 200 IT managers, nearly a quarter (23%) admit they simply don t know how secure their website is. Among smaller companies with employees, this figure rose to 30% - nearly a third of SMEs have no insight into their website security. While only 2% admit to any vulnerabilities and a third (33%) assume their websites to be very secure, only 15% overall say they are totally secure. Only half of respondents (48%) rank their website very/totally secure compared to nearly three quarters (74%) in the US. Without a better understanding of vulnerabilities, it s difficult to say what the impact of security gaps are. But with malicious attacks skyrocketing by 81% in , it s fair to assume vulnerabilities will lead to attacks. unreported or undetected, so it may be that cybercrime is happening without companies knowing. Assuming that a company website is secure is a dangerous game. Symantec s own research from carrying out its free vulnerability assessments shows that around a quarter of company websites suffer from critical vulnerabilities 7. For smaller companies, assuming that the bigger brands will be the target of attacks is wrong; 17.8% of attacks are targeted at companies with less than 250 employees as cybercriminals go after smaller companies so their activities are less likely to be detected 8. What we can certainly say is that without a substantive approach to layered security, websites are open to attack. Only 19 companies in the survey admitted to internet security breaches in the past six months, although three of these reported a major impact from the breach. However, the majority of internet security breaches go Similarly, without some information on what a website s vulnerabilities are, it s impossible to understand the seriousness of the threat and the risks an organisation faces. p. 6
7 Filling the Information Vacuum Regular vulnerability assessments are the means by which organisations fill the gaps in their understanding about website security. More than half of respondents (53%) have never conducted a vulnerability assessment, perhaps because of low awareness of the growing problem of malware. 15% of respondents have conducted a vulnerability assessment in the last month, 16% in the last 6 months and 16% in the last year. The majority of those who have conducted assessments tend to repeat the exercise. 52% of respondents who conducted assessments repeated the exercise in the last 12 months and a quarter say they repeat them regularly. Larger companies are more likely to have conducted an assessment recently (21%), although far more mediumsized companies (with employees) have never conducted an assessment (67%). Likewise, of those who have conducted assessments, larger companies are more likely to repeat the exercise, with 37% of the 30 companies repeating them every month. There s a very low adoption of automated scanning for vulnerability assessment, perhaps because in the case of the complimentary Symantec service, it s only recently launched. Just 6% of those who have conducted an assessment used this method, while half (50%) used a third party and 44% did an internal assessment. The impact of conducting vulnerability assessments is clear. More than a quarter (27%) of those who never conducted assessments admit they simply don t know how secure their website is, compared to 23% overall. Conversely, those who have conducted assessments have greater confidence in their website security. Only 4% of this group don t know how secure their website is. Arming yourself with information about website vulnerabilities is of course just the first step but in itself it may make you more aware of the risks you are prepared to take. A high number of those who conduct assessments regularly say their websites are very secure (52%), and nearly a third of this group (30%) say they are reasonably secure. When did you last conduct a vulnerability assessment on your website and what were your findings? Every month 0% 30% 52% 14% 4% not at all 0% 36% 27% 14% 27% Not Secure Reasonably Secure Very Secure Totally Secure Don t Know p. 7
8 Quantifying the Risks In an information vacuum, it s hardly surprising that IT managers rate their likelihood of suffering various vulnerabilities as low. With over half of respondents never having conducted vulnerability assessments, they can only guess at the likelihood of their websites suffering from different vulnerabilities. Nonetheless, there was a big difference between respondents expectations about the vulnerabilities their websites might have, and Symantec data on the vulnerabilities that websites typically suffer from. In order, the most likely vulnerabilities rated by our respondents were: Brute force attack (20%) Authorisation vulnerabilities (19%) Information leakage (15%) Cross-site request forgery (15%) Content spoofing (14%) Cross-site scripting (13%) Authorisation vulnerabilities were ranked likely or most likely by just 19% but this was the most common breach that actually occurred according to our survey, with 6 respondents citing it as the most serious breach they had experienced in the last six months. Discrepancies between the expectations of respondents and what is happening in reality further highlights the vulnerability knowledge gap. Organisations need to get a better grip on the risks they face. Without a better grasp of their actual exposure to risks, they cannot act to improve their website security. Please rate the likelihood that your website suffers from cross-site scripting? 32% 37% Cross-site scripting, the least likely vulnerability according to our survey, is one of the most likely according to Symantec s own research. Nearly a third (32%) of respondents admit they don t know if they might have this vulnerability. 4% 9% 18% Information leakage is also rated as a low likelihood. Nearly half (49%) say it s unlikely they suffer from this vulnerability, while in reality, data breaches are an increasingly common occurrence. The aforementioned Sony PlayStation breach is clear evidence of this. Least likely Most likely Don t Know Our survey rates brute force attacks the most likely vulnerability, (20% rate it likely or most likely), with respondents imagining physical infrastructure weakness outweighs virtual risks. p. 8
9 which countries are most vulnerable? UK: Secure, or Not Sure? Many UK organisations think that their websites are relatively secure and that they don t suffer from vulnerabilities, but half of the respondents to our survey don t conduct vulnerability assessments, so it s difficult to see where their confidence comes from. UK organisations are average in their ranking of their website security, with 48% ranking them very or totally secure exactly the same percentage as the average across all four countries. Around the same as the average (24%) also answered don t know when asked how secure they considered their website to be. However, a higher number than average, and the highest number out of all the markets surveyed (20%), considered their websites to be totally secure. The UK rates the likelihood of having each of the vulnerabilities lowest of all the countries in three of the six categories (see page 8 for list of categories), more organisations in the UK than in any other country ranked themselves least likely to have a vulnerability, and in the other three, they had the second most organisations ranking themselves least likely. The UK also has a higher number of organisations than other countries in three categories admitting they don t know whether they have specific vulnerabilities. Crosssite scripting is a good example, where 40% say they are least likely to suffer from this vulnerability, while 48% say they don t know. The UK is split on those who do and do not conduct vulnerability assessments and has more than the average who repeated assessments in the last 12 months (56%); it also reports the lowest number of breaches. Clearly, organisations in the UK are polarised in their opinions between those who conduct assessments regularly, patch any holes they find and consider themselves highly secure, and those who don t conduct assessments and aren t sure what their exposure is. A fifth of UK companies consider their website to be totally secure 0% 28% 28% 20% 24% Not Secure Reasonably Secure Very Secure Totally Secure Don t Know p. 9
10 France: Highly Secure, But Least Examined On first inspection, French organisations appear confident in their website security. However, on further examination they admit they don t really know about specific vulnerabilities as more than the average don t conduct vulnerability assessments. A high number of French organisations consider their websites to be very secure 42% 33% 52% 48% 23% 8% FR AVERAGE FR AVERAGE FR AVERAGE Very Secure Totally Secure Don t Know A high number of French organisations consider their websites to be very secure (42% versus an average of 33%) and a higher than average number are in the upper quartile of very/totally secure (52% versus an average of 48%). Only a very small number (8% versus an average of 23%) said they don t know how secure their websites are. However, French organisations have the highest likelihood scores across five out of six categories of vulnerability and were the least confident in vulnerability scores of the four countries surveyed. Their top risks were for cross-site request forgery (where 34% of organisations ranked themselves likely or most likely to suffer from the vulnerability), brute force attacks (32%) and authorisation vulnerabilities (28%). Low numbers in every category said they don t know how likely their websites are to suffer the vulnerability 8% or less in every category versus average percentages across all four countries of around 30%. France had the highest number of respondents, nearly two thirds (64%), who have never conducted a vulnerability assessment, but among those who have conducted an assessment the country has the second highest number (44%) using internal assessments. 39% of the organisations that did conduct assessments repeated them every month. French organisations need to arm themselves with more data on the specific vulnerabilities their websites suffer from. When questioned, higher numbers than other countries fear that they have problems; assessments will either help quantify those fears, or help back up the assumption that website security is strong in France. p. 10
11 Germany: Forewarned is Forearmed Germany stands out as the country with the most activity on vulnerability assessments, as well as the best-informed picture of how secure their websites really are. German companies have conducted the most assessments in the last month and six months, and have the least number who have never conducted an assessment we use 3rd party assessments WE USE INTERNAl assessments WE use automated scans OTHER 38% 69% 3% 14% Germany has the highest proportion of respondents who consider their websites very secure and more than the average who admit they don t know. 44% of the 50 organisations surveyed think their websites are very secure, rising to 56% when combined with those rating them totally secure. However, a relatively high 28% admit not to know how secure their websites are, compared to the average of 23%. German companies have fairly high likelihood scores across several vulnerability categories but also higher numbers who replied don t know. In three of the six categories (cross-site scripting, information leakage and authorisation vulnerabilities) they have the highest number of organisations who rank themselves likely or most likely to suffer from the vulnerability. However, in another category, cross-site request forgery, a massive 60% admit they don t know whether their websites might suffer from the problem. Generally, though, Germany shows a high level of awareness of the risks and this is no surprise as it has the largest number of organisations who have conducted vulnerability assessments in the last month (20%) and the last six months (26%), and also the lowest number of companies who have never conducted an assessment compared to other markets (42%). That still leaves a total of 58% of German respondents who have conducted assessments within the past year, compared to an average across all four countries of 47%. Assessments are mostly carried out internally, with a massive 69% internal versus the average of 44%. German organisations also own up to a higher number of breaches (16% - 8 respondents) than any other country. This is generally a better informed and more prepared country than others in Northern Europe. The remaining organisations who have not conducted assessments now need to catch up with their peers. p. 11
12 Sweden: Not So Blissfully Unaware In contrast to Germany, where organisations appear well-informed, Swedish organisations own up to a poor understanding of the risks their websites are running. Swedish organisations score themselves lower than in any other country for websites that are very or totally secure (38%). They fall 10 percentage points below the overall average for websites that are in this upper quartile. However, 32% say they don t know how secure their websites are, compared to an average across all four countries of 23%. This lack of information carries across into the question on specific vulnerabilities where Swedish organisations have some of the highest don t know scores across all the vulnerabilities. In three of the six categories (information leakage, content spoofing and authorisation vulnerabilities) they have the highest number of organisations that admit they don t know whether they suffer from vulnerabilities. At the same time, their likelihood scores for all vulnerabilities are fairly low, with information leakage ranked highest with a 16% very/most likely rating. The lack of information can hardly come as a surprise only 22% had conducted a vulnerability assessment in the last month or six months the lowest number in any of the four countries. A higher than average 56% had never conducted an assessment. Of those who did conduct assessments nearly a third (32% versus an average 23%) never repeated the exercise. Without information Swedish companies cannot quantify their exposure, or act on the specific risks they face. Some simple steps such as automated scanning can set them on the right path to filling in the gaps. Only 22% of Swedish companies had conducted a vulnerability assessment in the past month or six months 56% 12% 10% 22% In the last month In the last 6 months In the last year never p. 12
13 Bridging the Vulnerability Gap In contrast to Germany, where organisations appear well-informed, Swedish organisations own up to a poor understanding of the risks their websites are running. Our survey of 200 organisations across northern Europe has identified a serious lack of information about website security and the vulnerabilities that websites could be suffering from. But what s the impact of this gap in knowledge around vulnerabilities? And how can organisations go about filling the gap? While there were a low number of respondents to our survey admitting to security breaches, and incomplete data on the type of breaches, several of those who did suffer breaches admit they have had a major impact. 9% of organisations overall (19 organisations) say they have suffered a breach in the last six months. Larger organisations were much more likely to admit to having suffered a breach in the last six months. More than a fifth (21%) of the 58 companies with more than 1,000 employees admitted that they had been breached. The lack of data on breaches is not a surprise as most website security breaches go unreported or unnoticed. With legitimate websites infected with malware - a growing problem on the web - cybercriminals could be infecting sites, syphoning off user details, or even conducting fraudulent transactions without organisations ever knowing. Symantec s Website Security Threat Report identified that 61% of malicious sites are actually genuine websites that have been compromised and infected with malicious code. The most serious breaches identified by our respondents were authorisation vulnerabilities, followed by intrusion, then content spoofing. But six organisations did not want to share the nature of their most serious breach. So how can you determine whether your website has been compromised, or is suffering from critical vulnerabilities that could lead to it being compromised? If you don t have the budget or the inclination to go through a full internal or third-party assessment of your website s vulnerabilities, an automated remote scan is a perfect starting point in the vulnerability discovery process. In Symantec s case, it comes free with the purchase of most SSL certificates 9. The scan can determine the existence of critical vulnerabilities that allow cybercriminals to access sites to insert malware and access confidential customer data. The scan will also provide an actionable threat report pointing to simple remedial measures such as upgrading software or security, or improving user education or guidelines. p. 13
14 References 1. All information contained in this report comes from IDG Connect research, conducted in October 2012 on behalf of Symantec, of 200 IT Professionals across four European territories UK, France, Germany and Sweden. 2. See Symantec s Internet Security Threat Report 3/4/5. Download the Website Threat Report PT1: Download the Website Threat Report PT2: 6. All information contained in this report comes from IDG Connect research conducted in October 2012, on behalf of Symantec, to 200 IT Professionals across four European territories UK, France, Germany and Sweden 7. Between October 2011 and the end of the year, Symantec identified that 35.8% of websites had at least one vulnerability and 25.3% had a least one critical vulnerability. Symantec Internet Security Threat Report, as above 8. Symantec Internet Security Threat Report, as above 9. Symantec offers free vulnerability assessments to Extended Validation Secure Sockets Layer (EV SSL), Secure Site Pro and Secure Site Pro certificate customers. All Symantec SSL certificates and Secured Seal products offer a free daily Malware scan. p. 14
15 ABOUT SYMANTEC include industry leading SSL, certificate management, vulnerability assessment and malware scanning. The Norton Secured Seal and Symantec Seal-in-Search assure your customers that they are safe from search, to browse, to buy. More information is available at For more information on vulnerability assessments visit: Website Vulnerability Security Threat Assessment Report 2013
16 FOLLOW US For specific country offices and contact numbers, please visit our website. For product information in the UK, Call: or +44 (0) Symantec UK Symantec (UK) Limited. 350 Brook Drive, Green Park, Reading, Berkshire, RG2 6UH, UK.