What happened when ImmuniWeb decided to scrape some open source data from public lists of cybersecurity conference attendees and check their data integrity on the dark web?
Well, 97% of them had some leaked data, and 25% of the data leaked was considered “high” or “critical” risk-level. Included among the data was everything from passwords and other credentials as well as open security vulnerabilities on their own websites. And how secure were those passwords and creds? 29% of passwords could be categorized as “weak” and employees from 40% of the organizations that leaked data were found to be reusing credentials across multiple online resources.
So, what does this mean?
Well, it means that cybersecurity professionals across the board need to take their own advice more seriously, but it begs the question: why would professionals do so poorly with their own OPSEC?
Well, in practice, even security professionals can be lazy on some of the basic tenants of security – like using strong passwords – but most of the problems came from trusting third parties with little bits of important data that allowed a snowball effect of critical leaks to hit the dark web.
Trusted Third Parties Could be the Root of the Problem
While a portion of the issues with the leaked data can be blamed on user error, a trend that become obvious as the data was processed was that trusted third parties were a major culprit in leaking data. Companies need to be able to outsource some of their duties, but how much work can be done to audit every single contractor?
The report reads:
“A considerable number of the incidents stem from silently breached trusted third parties, such as suppliers or other subcontractors of the cybersecurity companies, mostly represented by stolen website databases and backups. A large number of stolen credentials with plaintext passwords likewise come from incidents involving unrelated third parties including dating or even adult-oriented websites where victims were using their professional email addresses to sign in.”
While third party vendors deserve blame for their own security being the source of the leaks to the dark web, the systematic blame falls back squarely on cybersecurity professionals who seem to be breaking simple rules in their own lives and causing great risk to their own companies and clientele. It is important to remember that all employees at all companies require some on-going security awareness training. Security companies also have non-technical staff that manage marketing, human resources, accounting and more, so it’s important to remember that those staff may not have any knowledge of security best practices at all.
ImmuniWeb’s CEO states, ““Frequently, cybersecurity companies have no time or budget to manage their web presence and outsource it to web agencies or even to individuals. Unsurprisingly, these third parties are considerably less knowledgeable about all the intricacies of application security and may unwittingly install a vulnerable plugin, or forget to update their CMS during weeks, or even months.”
GoVanguard recommends utilizing continuous security awareness training for all employees, and also doing some due diligence on the security practices of vendors. Regular internal pentesting and a KnowB4 training session are some simple best-practices too, which is why we recommend them to our clients! The statistics about leaked data are atrocious, and we all need to do better as an industry.
Contact us to get started on the path to greater security!