Executive Summary

As with all things Cybersecurity, there is significant disagreement on the threats and vulnerabilities any organization will face. In any given year, industry hype and the threat of new attack types will overshadow the most common vulnerabilities and the threats that activate them, based on buzz and industry news, potentially drawing attention away from critical risk management controls. Risk Management practices must be followed, however, weighing severity and likelihood of a risk. Oftentimes, the severity of new threats draws more attention in media outlets, while the likelihood of much more mundane threat makes it a much more pressing risk for most organizations. In vulnerabilities, mobile devices top the list in technical and personal vulnerabilities, while organizations facing digital change, new technology, and rapidly evolving needs create the most vulnerabilities. From a threat standpoint, ransomware, malware, hacking, and phishing have been overtaken by web and web application attacks, in the form of formjacking and attacks on poorly secured cloud servers.

Introduction

A number of the studies were based on actual attacks or attempted attacks, illustrating specific threats on discrete vulnerabilities; while several of the studies were based on survey responses of business and organizational leadership. In several of these studies, there is significant disagreement between the exact rankings, illustrating that no business leader knows exactly where the threat will come from, but that it is coming. There were a number of new threats from more media-based sources, illustrating that the constsant threat of hype of critical hacks and fear, uncertainty, and doubt. One such study even calls this out, clearly articulating that survey respondents are not worried about previous attacks, but only about newer, more sophisticated attacks, and drawing attention to the fact that “although 56% of respondents said they are worried about the prospect of an attack involving IoT or OT assets in 2019, less than a quarter of respondents (23%) said they have experienced such an attack in the past 24 months.[1]”

One critical point to understand regarding any analysis of top 5 threats and vulnerabilities is that, with cybersecurity defense maturing in all industries and across all functional areas within individual organizations, there is no one answer as to the top threats and vulnerabilities. HR Departments will have specific threats and vulnerabilities related to policies, procedures, training, and protecting against insider threats that differ greatly from application development departments. Likewise, oil and gas companies will need to concentrate more on APTs and Industrial Control than hospitals, government entities, or small and medium businesses. There is no single source of truth that will address the needs for every functional area within every organization of differing types; instead, it is imperative that CISO’s and other executive leadership of every organization instill a culture of security and risk management, inculcating the awareness and mitigation tasks within every individual. This way, each department or functional area can evaluate more specific risks within a larger framework as all areas of any organization work towards a common goal of being cybersecure.

However, with all of this being said, there is significant commonality amongst all organization types and functional areas, and the top 5 threats and vulnerabilities can be grouped together to form a general and best practice framework against the most common and/or most severe categories of each, providing an organization with a very high level, 30,000 view of their cybersecurity and attack surface. This can provide the necessary strategic level plan that then can be refined for different functional areas within different industries to address specific problems at the tactical and operational levels. Particularly with regards to specific vulnerabilities, our list will be somewhat broad and encompassing (mobile devices or specific platforms), as opposed to calling out specific vulnerabilities (such as referring to a CVE number for Android devices, for example).

Methodology

The table below presents a high-level, rough meta-analysis (survey of surveys) of data provided by multiple sources ranking cybersecurity threats and vulnerabilities in, primarily 2019 (though in some cases, the surveys were presenting data collected largely or solely in 2018). Because of the varied nature of the rankings, the rankings in the Table have been adjusted to fit our structure. Care has been taken to address the individual results in as fair a manner as possible, but in some cases, a survey or articles rankings were not clear. In those cases, the data provided in the survey or article was analyzed to determine a de facto ranking, where in other cases, adjustments were made based on language describing the most critical to least critical threats or vulnerabilities. Rankings are provided from 1 (highest criticality) to 5 (lowest criticality) and beyond.

In other cases, a survey or article would indicate a highly specific threat or vulnerability; these were generally matched to a more broad category based on more commonly described threats or vulnerabilities from other sources. In the case of a survey or article having multiple items that can both fit into a single category, the highest criticality (closer to 1) rank was chosen. Finally, if no match was provided but the survey had the sole mention of a threat or vulnerability, the item was considered an outlier and was discarded. Only threats and vulnerabilities with at least two mentions were kept. The rankings are then averaged (arithmetic mean) with the mean of each threat and vulnerability used to provide our meta-ranking. The 5 top ranked threats and vulnerabilities are provided below.

Vulnerabilities

Of note in sources discussing cybersecurity vulnerabilities is how different each source treats the term. Several sources focus on specific vulnerabilities in primarily software, operating systems, firmware, and other code. Some sources recognize that vulnerabilities can be non-technical in nature, such as physical security vulnerabilities, lack of policies and procedures, etc. Unfortunately, the most prevalent and common source of vulnerability rankings relate to individual platforms or applications.

As an aside, for organizations that write their own software, whether for publicly accessible web applications, mobile apps, or even for internal use, a useful source of common threats is the annual OWASP (Open Web Application Security Project) Top 10 [2]. This list consistently highlights avoidable security flaws in web applications and seeks to educate programmers on the most common class of vulnerabilities during the development stage. For the purpose of this list, vulnerabilities in applications, operating systems, or platforms have been condensed (for example, lists recognizing a greater number of specific vulnerabilities affecting Android have been consolidated under the heading of “Mobile devices”).

Media hype surrounding IoT devices leads one to realize these devices’ represent a growing attack surface both at home and in every organization due to their growing ubiquity[3], and can often outnumber traditional IT assets[4, p. 8]. At the Industrial scale, ICS systems, usually in the form of SCADA for manufacturing, power generation, water and other utilities, and other critical infrastructure continues to be probed by advanced persistent threats with occasional worrisome successful attacks bringing the vulnerabilities to the forefront of experts minds[5, p. 10]. However, these threats may be critical vulnerabilities, but currently, they are not as likely to be exploited as the more common, easy to exploit vulnerabilities. There are still plenty of examples of these exploits, but they do not yet rise to the top 5.

Also of note is the low relative criticality of zero-days. Several sources note that zero-days, while concerning and newsworthy, simply don’t translate into actionable threats as often as might be feared. Instead, the risk is more once a patch is released, providing threat actors more information on the nature of the vulnerability to attack remaining unpatched systems.

The data table on vulnerabilities is provided below in Figure 1.

#5: Employees

Employee mistakes and the human element will always be a concern except in the most rigorous, structured organizations. Careless or unaware employees continue to increase risk in healthcare and energy sectors[6, p. 10,12,13], while shadow IT and even pure, malevolent staff taking advantage of their employer continue to be a concern[4, p. 12].

#4: Cloud and Server Vulnerabilities

A number of vulnerabilities continue to exist within specific vectors. There were a few mentions regarding compromised or vulnerable email servers, oftentimes in the cloud[7, p. 10]. As these systems are public facing, they are easy targets. This can also include compromised credentials coupled with lack of MFA on publicly accessible systems (again, email servers are prominent) [7, p. 25]. Other than these specific vulnerabilities, there appears to be some fear regarding the vulnerability of cloud systems and publicly accessible servers specifically for small and medium businesses[8, p. 36], primarily because of the broader attack surface[9].

#3: Traditional Laptops & PCs, OS, and Office Software

While a rather broad category, the fact that every employee maintains a device, even employer-owned, that contains potentially vulnerable software, operating system components, and may even itself contain sensitive data, this particular attack surface is large, dispersed, easily lost or stolen, and under the primary control of the same employees mentioned in #5[8, p. 5]. These devices also can contain sensitive data, are ripe for ransomware, malware, and even cryptojacking, and still represent a path for attackers to access an organization’s network through careless employees through such traditional desktop software as Flash, web browsers, Microsoft Office, and more[10, pp. 5–6].

#2: Mobile Devices

Amongst the sources citing specific CVE’s and counting vulnerabilities in software and platforms, the Android platform comes up as the single, largest platform with discovered vulnerabilities during the year[11]. This, coupled with Apple’s not insignificant count of vulnerabilities[10, p. 6], and the remaining threat from mobile devices being lost or stolen while containing sensitive data means this vulnerability consistently ranked high in several reports.

#1: Digital Transformation/Pace of Change

While only a few reports mentioned the pace of change, those that did consistently placed it as the #1 vulnerability to organizations. The message behind this is that overall, the need to improve an organization’s technology operations and compete to earn profit makes it hard for cybersecurity to keep up[12, p. 3], as attackers are able to outpace those that work to patch and secure their systems[5, p. 4]. Even small and medium businesses are expected to invest heavily in technology without necessarily having the skills and capabilities to commit to this investment in a secure fashion [8, p. 8].

Threats

Interestingly, insider threats, employee misuse (both intentional and accidental), and mistakes, while mentioned by several sources, did not rise to the level of Top 5. Likewise, supply chain and third-party threats, often worrisome because of the history around breaches such as Target threats, was still just #6, as the major categories of threats that have been pervasive for the past several years are still the most common risks for any enterprise. Threats are still based on the fundamentals (social engineering, attacks for fraud and theft, and ransomware and malware), and while new threats and threat actors emerge very year, often these new threat actors have similar motives as before (money, and occasionally state-sponsored APT’s), while using the same or similar tricks from years ago.

A few sources seemed to indicate that phishing and social engineering attacks, while certainly still present, have plateaued or even waned slightly, as other threat types have begun to grow. This may correspond with increased awareness, training, and phishing simulation investments made by even the smallest of organizations. As phishing is largely untargeted and numerous, this threat remains present, though hopefully diminishing. Indeed, our average shows that Phishing has dipped below the Top 5, though it is still very prevalent and still represents a true threat [13, p. 12].

The data table on threats is provided below in Table 2.

#5 Endpoint Attacks, including BYOD

With the simultaneous rise of both cloud Software-as-a-service and Mobile, especially including BYOD, attacks directly on endpoints is a growing risk[14]. The weaknesses that coalesce at the intersection between vulnerable operating systems, application software, web browsers, and careless users presents a top 5 threat to most organizations [8, p. 36].

#4 Supply Chain/3rd Party

The lessons from Target are still unlearned, and third-party and supply chain threats are still one of the top 5 threats for organizations, even 7 years later[1, p. 4]. Fortunately, organizations are at least prioritizing third-party risk at the highest levels[1, p. 13]. Symantec has also noted an uptick in formjacking, which is contributing to supply chain attacks, as well as more mundane sources as developer tools, updates, and even chatbots in partner systems[15, p. 17].

#3 Ransomware/Malware

Ransomware against individuals may have plateaued, but 2019 saw an increase in enterprises as these types of attacks become more targeted and sophisticated [15, p. 9]. Ransomware continues to infect large organizations, State and local governments, hospitals, and critical industries[16, p. 102], and shows little sign of abating [13, p. 8]. This is distinct from other forms of attacks in that they are semi-targeted,

#2 Cybercriminal Attacks for Theft and Fraud

Essentially, most of the surveys admit that any direct attack with a financial incentive still forms a large basis of threats [9], and is demonstrated by the increase in formjacking attacks and other banking fraud. This includes Trojans, botnets, and other malware that targets financial institutions [7, p. 41], in addition to fraud that targets the financial resources of non financial institutions through their third-party access, or even something as mundane as ATM skimming. In sum total, theft and fraud through direct action by hackers remains near the top of the list.

#1 Web and Web Application Attacks

Flash and browser attacks remain near the top, and as a way to “drive-by” infect users, may have supplanted email malware. While untargeted, these attacks utilize increasingly vulnerable software (Adobe Flash and Java, to name a few)[16, p. 33], while Google Chrome was the most vulnerable web browser for 2019[11]. In addition, banking fraud through the web remains high. Finally, credential misuse in public web servers remains high, primarily due to the presence of unpatched email web front-ends[7, p. 25].

Conclusions

While significant disagreement can remain in certain areas on the exact numerical order of threats, most sources can agree on the top 5, or even top 10 vulnerabilities and threats. None of these entries should come as any surprise and continue, even after many years, to demonstrate that many organizations are failing to address the fundamentals in terms of cybersecurity from an enterprise risk management and strategic perspective. It remains critical for the entire organization, and not just the cybersecurity team, to take these vulnerabilities and threats seriously, no matter their order.

Works Cited

[1] “Measuring & Managing the Cyber Risks to Business Operations,” Ponemon Institute, sponsored by Tenable, Dec. 2018.

[2] “OWASP Top Ten.” [Online]. Available: https://owasp.org/www-project-top-ten/. [Accessed: 04-Feb-2020].

[3] “Top 10 Cyber Security Threats Against Enterprises in 2019,” Comodo News For Enterprise Security, 28-Mar-2019. [Online]. Available: https://enterprise.comodo.com/blog/ten-cyber-security-threats-facing-businesses-today/. [Accessed: 05-Feb-2020].

[4] “2019 Cyber Risk Report,” Aon, Inc., Feb. 2019.

[5] “The New Norm: Trend Micro Security Predictions for 2020.” Trend Micro, Incorporated, 2019.

[6] “Global Information Security Survey (GISS).” [Online]. Available: https://www.ey.com/en_us/giss. [Accessed: 11-Feb-2020].

[7] “2019 Data Breach Investigations Report,” Verizon Enterprise.

[8] “2019 Global State of Cybersecurity in Small and Medium-Sized Businesses,” Ponemon Institute, sponsored by Keeper.

[9] S. Bocetta, “10 Most Urgent Cybersecurity Issues in 2019,” CSO Online, 12-Nov-2019. [Online]. Available: https://www.csoonline.com/article/3501897/10-most-urgent-cybersecurity-issues-in-2019.html. [Accessed: 05-Feb-2020].

[10] “Vulnerability and Threat Trends,” Skybox Security, 2019.

[11] “Top 50 products having highest number of cve security vulnerabilities in 2019.” [Online]. Available: https://www.cvedetails.com/top-50-products.php?year=2019. [Accessed: 06-Feb-2020].

[12] “The Future of Cyber Survey 2019,” Deloitte US.

[13] “State of Cybersecurity 2019.” [Online]. Available: https://cybersecurity.isaca.org/state-of-cybersecurity#3-2018-part-2. [Accessed: 06-Feb-2020].

[14] Parks, Trevor, “The Top 5 Cybersecurity Threats Plaguing Enterprises,” Security Technology Executive, vol. 29, no. 3, p. 12,14, Aug-2019.

[15] “2019 Internet Security Threat Report (ISTR),” Symentic, Apr. 2019.

[16] P. O. of the E. Union, “ENISA threat landscape report 2018 : 15 top cyber-threats and trends.,” 04-Apr-2019. [Online]. Available: https://op.europa.eu:443/en/publication-detail/-/publication/6373c334-574d-11e9-a8ed-01aa75ed71a1/language-en. [Accessed: 05-Feb-2020].

Figures and Tables

Figure #1: Vulnerabilities

Figure #2: Threats