Skip to main content

Report shows the threat of supply chain vulnerabilities from third-party products

Web Hosting & Remote IT Support

  • CyCognito report shows the risks posed by supply chain vulnerabilities
  • Third-party products are putting businesses at risk with undetected vulnerabilities
  • Web servers, cryptographic protocols, and web interfaces suffer the most

Critical vulnerabilities often go unnoticed in many digital systems, exposing businesses to significant security risks, new research has claimed.

With organizations increasingly reliant on third-party software and complex supply chains, cyber threats are no longer confined to internal assets alone, as many of the most dangerous vulnerabilities come from external sources.

The 2024 State of External Exposure Management Report from CyCognito provides an analysis of the risks organizations face today, particularly around web servers, cryptographic protocols, and PII-handling web interfaces.

Supply chain risk remains a growing concern

Third-party vendors play a crucial role in the operations of many companies, providing essential hardware and software. However, their involvement may introduce significant risks, particularly concerning misconfigurations and vulnerabilities in the entire supply chain.

Many of the most severe vulnerabilities like MOVEit Transfer flaw, Apache Log4J, and Polyfill were revealed to have links to third-party software.

Web servers are consistently among the most vulnerable assets in an organization’s IT infrastructure. CyCognito’s findings reveal web server environments account for one in three (34%) of all severe issues across surveyed assets. Platforms such as Apache, NGINX, Microsoft IIS, and Google Web Server are at the center of these concerns, hosting more severe issues than 54 other environments combined.

Beyond web servers, vulnerabilities in cryptographic protocols like TLS (Transport Layer Security) and HTTPS are also driving concern. The report indicates that 15% of all severe issues on the attack surface affect platforms using TLS or HTTPS protocols. Web applications that lack proper encryption are especially at risk, ranking #2 on the OWASP Top 10 list of security risks.

CyCognito's report also hightlighted the insufficiency of Web Application Firewall (WAF) protections, especially for web interfaces handling personally identifiable information (PII).

The report shows only half of surveyed web interfaces that process PII were protected by a WAF, leaving sensitive information vulnerable to attacks. Even more concerning is the fact that 60% of the interfaces that expose PII also lack WAF protection.

Unfortunately, outdated approaches to vulnerability management often leaves assets exposed, amplifying the risks. Organizations must adopt a more proactive and comprehensive approach to managing external exposures.

You might also like



via Hosting & Support

Comments

Popular posts from this blog

The Samsung Galaxy Ring could go into production as soon as next month

Web Hosting & Remote IT Support With the dust beginning to settle from the huge Samsung Unpacked 2023 event, we can turn our attention towards what Samsung might have planned next: and a smart ring seems to be in the company's near future. As per a report from South Korean outlet The Elec (via SamMobile ), mass production on a Samsung Galaxy Ring could begin as early as August, with a decision imminent on the schedule for getting the wearable manufactured and out to consumers. A full launch is slated for some point during 2024 though, rather than 2023. The nature of the device means that it'll need to clear several regulatory hurdles before it can go on sale and start tracking various vital statistics. An early 2024 launch would put the Galaxy Ring on a similar schedule to the Samsung Galaxy S24 – and it would therefore make sense to launch both gadgets at the same time, perhaps in January or February if Samsung follows its 2023 routine. The story so far Rumors ar...

The Apple Watch ban is lifted, on appeal – but the reprieve might only be temporary

Web Hosting & Remote IT Support The Apple Watch ban story has developed quickly over the last week and a bit, and there's now a new twist: the US Court of Appeals is putting a pause on the US sales and import ban while it reviews the case, which means the Apple Watch 9 and Apple Watch Ultra 2 can go back on sale for the time being. "We are thrilled to return the full Apple Watch lineup to customers in time for the new year," an Apple spokesperson told TechRadar. "We are pleased the US Court of Appeals for the Federal Circuit has stayed the exclusion order while it considers our request to stay the order pending our full appeal." The watches in question are now once again available from "select" Apple Stores, and will also be going on sale from the Apple website from 12pm PT / 3pm ET on Thursday, December 28 (that's 8pm in the UK, and early on December 29 in Australia). All Apple Stores should have stock by the weekend. As for how long t...

These mobile games are just trying to steal your crypto hoard, FBI warns

Web Hosting & Remote IT Support The FBI has warned consumers about a newly-detected, fake "play-to-earn" mobile and online game that tricks victims into depositing cryptocurrency, only to later steal it.  In a public service announcement , the FBI said the elaborate scheme sees scammers first contact the potential victim and try to build a relationship with them.  After a little back-and-forth, the scammers would invite the victim to play an online or mobile game, in which players purportedly earn cryptocurrency rewards in exchange for some activity, “such as growing ‘crops’ on an animated farm” the FBI said.  Depositing cryptos But getting into the “game” isn’t free - the victims must first create a cryptocurrency wallet and deposit some money, which is where the real scam begins. The fraudsters would later also tell the victims that the more funds they deposit, the higher the gains will be. However, as soon as the victim stops depositing additional funds, the...