Coalfire, a cybersecurity company, has just released its fifth annual Securealities Penetration Risk Report, shedding light on the evolving landscape of offensive security practices. Drawing insights from five years of penetration testing and vulnerability research, the report underscores the critical shift from traditional point-in-time testing to a threat-informed defense strategy that emphasizes adversarial-risk prioritization and continuous testing.
The extensive analysis conducted by Coalfire involved over 11,000 penetration tests and nearly 500,000 hours of testing, covering a wide array of areas, including web, cloud, API, wireless, network, IoT hardware, and mobile tests. The report delves into vertical industry trends across technology, financial services, healthcare, and retail, offering unique insights into major cloud service providers.
Key findings from the report include:
Cloud Security Fundamentals: Many organizations are migrating to the cloud without mastering essential cloud security basics. Security misconfiguration is identified as the top cloud risk, followed by injection and encryption issues.
Attack Surface Complexity: High-risk external vulnerabilities saw a 7% increase in 2023, largely due to an unclear view of the attack surface. Phishing attacks and exploiting internet-facing systems are the primary techniques used for initial breach access.
Mobile App Risks: Mobile apps are emerging as significant risk factors, with 88% of retail apps found to have weak crypto issues, potentially exposing millions of users to exploitation.
Human Factor: Social engineering remains a potent technique for attackers, with the Coalfire pen testing team successfully increasing human element exploits by 8% compared to the previous year.
Software Misconfiguration: Security misconfiguration tops the list of application security risks, followed by cryptographic failures, vulnerable components, identification/authentication issues, and injection vulnerabilities.
Sector-Specific Challenges: The retail industry leads in high-risk external vulnerabilities, while healthcare experiences a 7% increase in high risks after three years of decline. Social engineering is a common vector for external attacks.
"By applying the fundamental principles of a threat-informed defense, we can effectively address the challenges revealed in 2023 Penetration Risk Report,” said Jon Baker, director of the Center for Threat-Informed Defense at MITRE Engenuity, and author of the report foreword. “In alliance with Coalfire, a benefactor in our global R&D program, we're uniting the world's top security teams to innovate solutions for today's cyber defenders. Together, we're driving open-source adversary emulation capabilities that are turning the tables on our adversaries, injecting uncertainty into their next move."