Top 7 Key Findings
We analyzed our vulnerability and risk data from 800+ tests. Here are the highlights from key areas of analysis.
Cloud service providers are far more secure than enterprises.
VULNERABILITY
LEARN MORE
Large enterprises are 46% more likely to suffer a breach than large cloud providers.
46%
Cloud environments are most vulnerable to two types of attacks.
CLOUD
for security misconfiguration 12% for cross-site scripting
27%
Apps are now 2x more secure than in 2019
APPLICATIONS
Apps are now twice as secure than in 2019.
2x
Phishing still snags the bulk of credentials.
SOCIAL ENGINEERING
of phishing engagements resulted in a full compromise.
61%
Medium-sized enterprises are slowest to improve.
ENTERPRISES
Large and small companies seeing more than 3x the YOY improvements of medium-sized companies.
3x
Insecure protocols dominated top industry vulnerabilities.
industry
Insecure protocols represent 22.7% of top vulnerabilities across all verticals except technology.
22.7%
Two issues dominate those pursuing FedRAMP.
FRAMEWORK
subject to phishing attacks; 17.9% face security misconfiguration challenges
18.6%
What you can look forward to with Coalfire’s 3rd annual penetration risk report.
Coalfire EVP Mark Carney highlights surprising trends and opportunities to help every company get stronger by reducing their cyber risk.
Cybersecurity - have we been doing it all wrong?
Our year-over-year data shows that organizations struggle with the same vulnerabilities across all attack vectors. Is your company at risk? What can you do about it? Check out our top seven findings and find key takeaways and recommendations for how to overcome these recurring risks and harden your security environment.
Insecure protocols
Password flaws
Patching/patch management
Security misconfiguration
Out-of-date software
UNLOCK ALL INSIGHTS
ACCESS ALL INSIGHTS
Sneak peek
3 Annual penetration risk report
rd
See strategic insights as well as recommended solutions to top vulnerabilities like:
Unlock this year’s insights and improve your security posture now.
Access the details of our analysis and discover answers to cybersecurity's toughest challenges:
CSPs are far more secure than enterprises.
Apps are now twice as secure as they were in 2019.
Do you have critical systems in the cloud or headed there?
TELL ME MORE
Top findings
Enterprise
Welcome to Coalfire’s newest Securealities report on penetration risk. With three years of cybersecurity data from hundreds of penetration tests, several alarming trends are emerging. Our findings indicate systemic weaknesses in overall security posture, with many organizations exhibiting higher risk exposure than expected. Our year-over-year data shows that organizations struggle with the same vulnerabilities across all attack vectors. Is your company at risk? What can you do about it? Check out our top seven high-level findings and find key takeaways and recommendations to overcome these recurring risks and harden your security environment.
A NOTE ON THE PANDEMIC
SCOPE AND APPROACH
Do you have critical systems in a traditional on-prem center?
SEE CLOUD FINDINGS
SEE ENTERPRISE FINDINGS
UNLOCKED!
Top Findings
What kinds of attacks are companies facing?
To identify trends, we analyze susceptibility around various attack vectors. In 2020, organizations continue to prioritize defending against external attackers over internal. There’s a slight decline from 2019, but a slight increase from 2018.
This demonstrates that most organizations remain well prepared to handle external attacks.
Application attacks:
Include engagements with the objective of compromising web applications, mobile applications, or APIs.
External attacks:
Originate from outside the target environment and attempt to compromise the network with components available over the internet.
Internal attacks:
Where bad actors achieve a foothold within internal networks.
Risk ratings:
findings resulted in compromise during the engagement or can immediately result in compromise given the right set of conditions.
High:
findings that provided a significant opportunity to compromise the environment but not sufficient to satisfy the objective of the adversary.
Medium:
findings that provided key information in the pursuit of the objectives.
Low:
Now let’s take a closer look at the data.
The following sections break down the data in variety of ways. To fully explore the findings, interact with the charts by category tabs and option buttons.
Attack vectors year-over-year
In a significant reversal from last year, applications are demonstrating great improvements in security posture.
Our 2020 data shows that applications are more than twice as secure than they were in 2019. Applications are popular attack surfaces in general and are often the primary attack surface in businesses with low exposure to the Internet as these interfaces and some security appliances can be easier targets. The “shift left” practice of testing early for defects in the software development process may not be enough. Today’s DevSecOps movement of combining security software development with IT operations shows promise to continue this positive trend.
By company size
We categorize companies by revenue: Those under $100M are small, those between $100M to $1B are medium, and those over $1B are large. In 2018, medium businesses hit the “sweet spot” and were best at keeping critical risks at bay. But in 2019 we found the opposite: Medium companies were the worst. In 2020, our dataset is 63% larger than previous years. Medium companies were again the least secure, validating last year’s findings. And as we did last year, we pulled out cloud service providers to examine how they impact the data. Not surprisingly, we found that large CSPs were far more secure than medium and small cloud companies. The “cloud effect” cited in 2019 lives on in 2020.
By industry
Top seven recommendations
Our recommendations to resolve most of the weaknesses exposed by our data – regardless of company size, industry, or compliance framework – can be refined within two focus areas: strategic planning and threat and vulnerability management.
Strategy-specific recommendations
By framework
Our FedRAMP findings contain something we don’t see in other dataset stratifications. “Training” is our euphemism for the vulnerability category that includes social engineering. FedRAMP requires phishing tests, and we include one for each engagement. Phishing tops the list of issues leading to compromise for our FedRAMP clients. Additionally, account permissions make it into the top five, demonstrating that not only are cloud environments at risk from security misconfiguration flaws but also setup flaws, including assigning overly broad permissions to accounts within the solution. Our FedRAMP clientele fall within our “cloud provider” sector, as you might imagine. Cloud providers were a standout among the companies we examined, and that carries through in these findings as well.
Overall, the technology vertical earns the title of “most secure” across all attack vectors. Our newer additions, education and government, performed the worst overall. However, evaluation by attack vector yields a somewhat different posture across the industries, with some leaning positive, and some leaning woefully negative. Financial services gets props due primarily to a 60% improvement in applications security. Frankly, we’re not surprised that our technology vertical has come out on top again. It follows that companies that develop, build, and manage technology should be best positioned to defend against attack vectors directed against technology.
Strategic planning
First, the program should be designed and optimized to deliver strategically planned security controls and implement a high degree of discipline in administration and monitoring. Second, the controls must be tracked to ensure they are meeting the performance management characteristics that your organization expects. Executive leadership teams need to get closer to this level of oversight. Finally, that security program, at its core, should be aligned with the objectives and goals of the business. With everything moving to the cloud, distributed operations, and the decline of the on-premise data center, executive leadership must prioritize cyber strategy.
Threat and vulnerability management
A mature threat and vulnerability management program establishes the processes for asset management, providing an organization with insight into what system and software assets power their business; a threat and risk assessment process that integrates with their engineering lifecycles; and a vulnerability assessment program that provides the management team with a deep understanding of the current security posture. This approach also provides a penetration testing capability that can validate the security controls once implemented across an enterprise. These core constructs are critical to an organization’s ongoing management of threats and risks.
Emerging solutions
Perhaps it’s time to start re-thinking how we’re doing things. Could this be how emerging technology like machine learning and artificial intelligence reform the industry? Listen to Mike Weber, Coalfire Labs' VP of Innvoation tackle this question.
Want to see where your company’s posture stands compared to our report data?
We’ve assembled this report from three years of penetration testing data. Coalfire has collected this data from engagements that are as specific as testing a given solution, and as general as through carrying out a red team on an entire organization. This type of testing is appropriate for companies in any industry and of any size and is a key component of a mature threat and vulnerability management program. Evaluate your organization and see how you compare!
CONTACT AN EXPERT
Vulnerability-specific recommendations
Vulnerabilities found by test type
15%
37%
48%
16%
54%
30%
50%
13%
Cloud
Attacks companies are facing
Year-over-year
Top recommendations
Strategy-specific
Vulnerability-specific
Internal 2018 2019 2020
External 2018 2019 2020
Applications 2018 2019 2020
0%
20%
40%
60%
80%
100%
36%
43%
21%
19%
44%
see more
A note on the pandemic
Though our data for this report was collected before the COVID-19 pandemic, we would be remiss if we didn’t reflect on how this enormous challenge affects cybersecurity. Though most organizations are delaying spending decisions, the shift to dispersed operations creates larger attack surfaces with more opportunities for bad actors to compromise systems. Remote employees and location-neutral contactors working in less secure environments are red flags. We are seeing more assignments trending toward compliance-related matters, and higher performing companies are moving from point-in-time compliance schedules and security checks to continuous monitoring capabilities.
Last year, large enterprises hit the “sweet spot” for proactively guarding against vulnerabilities. These large organizations, with more than $1 billion in revenue, continue to maintain significantly better security postures. However, when you divide those large companies into the enterprise and cloud categories, these large enterprises are 46% less secure than large cloud providers – in other words, they’re almost twice as vulnerable and more likely to eventually suffer a breach.
Large enterprises are 46% more likely to suffer a breach as large cloud providers.
SEE DETAILS
Phishing creates a breach without having to attack systems and applications. For most of our engagements, social engineering attempts are designed to gain an initial foothold in the environment through phishing campaigns designed to harvest credentials that can be used for remote access, or by delivering a malicious payload that spawns a connection back to our attack infrastructure.
Phishing continues to be one of the simplest ways for attackers to circumvent security controls.
Connect with an expert
17%
57%
26%
22%
41%
51%
39%
10%
59%
32%
9%
1
2
Strategy+: Coalfire’s strategic planning tool
Coalfire’s threat vulnerability management approach
Scope and approach
With this report we draw on three years of penetration testing data and decades of insight, working with clients across all industries on the cutting edge of cyberattack simulation. 2020 represents 837 pen tests across 353 clients, of which: • 216 for demonstrating PCI compliance • 187 for seeking FedRAMP Authority to Operate • 501 for cloud providers • 336 for enterprises • 335 applications tests From previous reports, we’ve maintained retail, financial services, healthcare, cloud and technology, and education categories and added state and local government. With IoT on the rise, we’re seeing increasing demand for testing internet-connected devices – watch for a deeper IoT dive in next year’s report.
27% | 12%
Security misconfiguration | Cross-site scripting
Though today’s cloud environments comprise a wildly diverse set of technologies, they have at least two things in common: a method for managing the environment (typically presented as a web application) and a user who’s ultimately responsible for configuration (or misconfiguration) of the hardware, software, and firmware. Our penetration testing confirmed this fact, identifying significantly more cross-site scripting and misconfigurations in cloud environments than in enterprises.
CSPs far more secure than enterprises.
Apps are now twice as secure as in 2019.
However, 2020 shows a significant reversal from 2019, with applications demonstrating significant improvements in security posture; in fact, they are more than twice as secure than they were last year. But, cross-site scripting continues to vex developers across all industries. Simple input sanitization can defeat this vulnerability, yet we are left wondering when this basic web vulnerability will be eliminated.
Between 2018 and 2019, application security faltered, dropping almost by half.
The penetration tests that were included as a part of this study were carried out with the objectives of emulating an attacker. Our team will use the tactics, techniques and procedures that an adversary is most likely to use, and with the objective of gaining the level of access that an adversary would want to get. If we achieve the objective, that’s considered a compromise.
If you’re going to keep systems on premise, lock down the environment. Not a lot of surprises from previous years as Insecure Protocols top the charts again for Enterprises. Hardening your enterprise environment remains key to reducing risk.
Large organizations
Driving this solid security posture are large enterprises, which tend to mimic our overall findings. But the big companies do not lead every category and in fact, turn out to be the worst when it comes to application security – but just barely. Ultimately, the differences demonstrated across attack vectors and company size were negligible. Although our data hasn’t changed dramatically year-over-year, a new danger is emerging. The tools used in the past to protect the largest enterprises are not keeping pace with how fast attackers discover new ways to breach. We expect the data we’re starting to gather for the 2021 report to confirm this growing concern across all sizes and categories.
Small organizations
Small companies show that they’re not the worst at anything in particular in 2020. They demonstrate solid application security posture and show themselves to be the best at defending against external attacks. Perhaps because they are less capable of absorbing a major breach, and thus may have more to lose than their larger counterparts, small companies have the opportunity to be more focused in their security efforts. Even though there are more small companies in the world than large ones, large enterprises are, obviously, larger and more lucrative targets. Still, with attack vectors spreading and creating more vulnerabilities, small companies cannot afford to rest on any false sense of security.
Medium-sized organizations
Medium-sized companies were found to be the most susceptible to internal and external attacks but least susceptible to application attacks. This was a notable finding, as medium-sized companies drove the increases in application security seen this year. In fending off attackers, Medium companies performed three times worse than mid-sized cloud providers, showing a mere 4% improvement year-over-year when compared to their large and small counterparts. These results emphasize this report’s fundamental conclusion that third-party cloud service providers have improved their security posture far beyond what individual companies are providing within their own environments.
Technology led the industries in demonstrating resilience to attacks of all types. In a repeat performance from last year, the tech industry was the most secure across the board, and our findings didn’t change much. Given that this vertical is moving the ball as fast as it can while everyone else tries to keep up, we expected there would be a bit more change year over year. But it seems that companies that build and sell high-tech solutions happen to be pretty good at securing them as well. Go figure. We can find encouragement here, in that if Moore’s Law is still in effect, we seem to be staying ahead of the compounding complexity of technology.
Technology – Applications Applications in the technology category were most susceptible to cross-site scripting. Injection flaws – which include SQL injection and command injection of a variety of types – topped the most significant vulnerabilities.
Technology – External Significant external issues for tech companies were found in missing patches and insecure protocols in use. From an external perspective, insecure protocols are those that are subject to interception like unencrypted protocols or man-in-the-middle attacks.
Technology – Internal Attack vectors in the technology sector were topped by password flaws and patching issues, surpassing even insecure protocols. This was a departure from what we found in other industries, where insecure protocols dominated the internal findings.
Financial services looks much better than in years past. In 2019, financial services was ultimately last overall. Application security in the financial sector was previously worst overall by a wide margin, but this year it leveled off. Financial services ended almost as secure as the tech vertical. This has been buoyed by a marked improvement in application security. What is most notable about the rising financial services tide is that the majority of the financial applications we tested were built on cloud technology stacks. In general, these are sophisticated products coded by companies in the high-performing technology vertical that can’t afford not to bake in security early their development processes.
Financial Services – Applications Financial applications were the shining star of this report. A major turnaround from last year with a 60%+ decrease in critical application issues. They’re half as likely to be breached now than two years ago.
Financial Services – External External findings were almost identical to last year, with the same general distribution. Of note were more security misconfiguration issues, but only a handful could be exploited to compromise the system.
Financial Services – Internal Internal risk lines up with the other industries, with less variety of results. Though injection vulnerabilities fell off the radar, don’t get complacent: Internal networks still demonstrate that more than 50% of the issues we encountered would lead to compromise.
This year, retail remains on good footing with overall security posture. As the second largest group within our dataset, retail organizations show results at the same general levels as last year. However, the distribution of issues was somewhat shocking. Retail applications appear quite a bit different from last year, while external issues were dominated by a rather frightening finding: Internal networks again demonstrated a gap in securing enterprise networks, which are the easiest target to start with when gaining access to cardholder data.
Healthcare landed in the middle of the pack again with overall security posture. But this year we observed some interesting findings in the dataset, which led us to question how we keep ending up at this point of average security performance. We believe the differences stem from challenges endemic to healthcare – complex integrations, and legacy systems. The complexity of systems that support the healthcare industry can be incredible, and the need to find best-of-breed systems to support the mission of healthcare companies can lead to some complicated solutions and challenging integrations. At the end of the day, both issues tend to cause security problems.
Healthcare – Applications Authentication issues stood out. Investigation yielded issues with the authentication process, generally due to poor integration and configuration of standard authentication processes. Our findings demonstrate the integration of disparate authentication schemes can challenge even the most capable organizations.
Healthcare – External Password Flaws #1! We questioned this finding as it would seem to point to a specific technology shortcoming. Again, there were no common threads between the systems compromised through poor password hygiene outside of poor administration.
Healthcare – Internal Patching issues plague healthcare internal networks. Considering the industry’s operational characteristics, there is a reluctance to pull the trigger on changes that could impact operations. This is not the case everywhere, but it is a mindset that continues to dominate the industry.
Retail – Applications The most prevalent way to compromise a retail application is through cross-site scripting. As companies continue to outsource the things they’re not good at – like developing bespoke systems for processing sales – the number of unique deployments is quickly shrinking and reducing server-side issues. The tradeoff? The customization of off-the-shelf applications results in common UI-level issues like cross-site scripting.
Retail – External Password flaws are an alarming issue. We found these flaws across a wide variety of technologies, and there was no common cause beyond poor administrative practices.
Retail – Internal Retail internal findings look much the same as others, with insecure protocols being the most severe issue, followed by password flaws and patching.
Last year’s highlight for the education vertical was application security. This year, that datapoint is reversed. While there was little change in external and internal risk, poor application security was a large factor in the industry’s overall decline in security posture. This result is different from our overall findings. However, the number of client engagements in this vertical was not very large. Ultimately, it appears that the data from last year was uncharacteristically good, and this year it is uncharacteristically poor. The big reveal will be in next year’s report, when we hope to shed some light on the impact of remote learning and administration as a result of the pandemic.
Education – Internal Unhardened internal environments contributed to the Insecure protocol findings, followed by security misconfiguration due to some complex environments that we tested. Notably absent? Patching. It appears that out of the education organizations we worked with last year, they have improved their issues on the patching front.
Education – Applications There weren’t many applications tested for our education clients, and this may contribute to the decline, but our testers were able to compromise all but one of the education applications that were in scope for our testing we did.
Education – External Externally, the education vertical fared poorly, as they did last year. The same issues surfaced with a similar distribution of findings.
Our government vertical is new this year. This sector comprises mainly state and local governments, as our Coalfire Federal team handles federal clients and keeps that information strictly confidential and separate. Our findings ranked the state and local government vertical squarely at the bottom of the ladder for overall security. While government clients proved to be in the middle of the pack for external and application attack vectors, the state of internal security is what dragged them to such poor performance levels. This industry was far more vulnerable than the others we examined. But as a new vertical, it’s possible we’ll see a significant change next year, as we did with our education vertical.
State/Local Government – Applications Government contained the fewest applications of any vertical and demonstrates fewer unique finding classifications for that reason alone. This sector is dominated by security misconfiguration but notably lacks the cross-site scripting issues that plague other industries.
State/Local Government – External Government entities tend to be slow to adopt new technologies, have tight budgets, and long budget cycles. As seen in our data, external attack vectors are similar to other industries.
State/Local Government – Internal Slow changes, limited budgets, and bureaucracy come with the territory. These issues can make things like locking down an internal network much harder.
High-risk overall vulnerability by company size
Top 5 cloud vulnerabilities
High-risk vulnerability for large, medium, and small companies
Our PCI penetration testing engagements prove that the easiest way to compromise credit card data isn’t by attacking the point-of-sale system or the terminal device, or by planting malware in a back office. It’s by attacking the corporate infrastructure where the cardholder data environments are attached. Many companies support their retail systems through efficient enterprise network engineering. Unfortunately, while it’s efficient, these companies frequently neglect to harden their corporate domain and are susceptible to attacks that exploit insecure protocols. This makes it more efficient for attackers as well. They simply compromise the corporate domain to allow them access to the systems that process credit cards.
Our 2020 data reiterates that organizations are prepared to defend against external attacks.
It’s been true for millennia that keeping intruders out requires a strong perimeter. Our analysis confirms that external defense is being handled well, at least better than against other attack vectors. But with more external workers, what will happen when the traditional network perimeter is replaced by the concept of Identity-as-a-Perimeter? This could be a looming disaster, given that the perimeter will be in the hands of fallible individuals. Perhaps we’ll overcome this by taking away the ability to “hand out your identity” through ubiquitous and strong multifactor authentication techniques.
From an internal attack perspective, there were no surprises. Too often, organizations fail to secure their critical internal support infrastructure, and we see little improvement.
In pen testing, gaining internal access is easy if you’re on the inside, and we find that most organizations do not take internal security as seriously as they should. Combine this tendency with our social engineering results, and you can understand why attackers, first and foremost, follow the easiest paths to their goal. Given the new attack surfaces resulting from the sudden expansion of remote workers and dispersed operations, it’s clear that internal attacks should not be taken so lightly. Yet, here we are.
Click on the enlarge icon to view how our top cloud vulnerabilities match up with the MITRE ATT&CK® Cloud Matrix
MITRE ATT&CK® framework matrix with top vulnerabilities
All
Patching
Injection
Cross-site scripting
Matrix
This image shows the cloud matrix before overlaying our top cloud vulnerabilities. Clicking on the bars below will match each vulnerability with corresponding techniques.
Cross-site scripting is an attack in which malicious scripts are inserted into otherwise benign and trusted websites.
Injection is an attacker's attempt to send data to an application in a way that will change the meaning of commands being sent to an interpreter - like SQL injection or command injection
Security misconfiguration manifests in overly broad permissions, weak or missing access controls, or failure to configure security controls available on a given platform.
Password flaws include the implementation of weak or guessable passwords, or the use of default passwords on commercial off-the-shelf products.
Patching findings can include different exploitation techniques, but the root cause is the organization failing to apply an available patch that fixes a known issue.
This image shows all vulnerabilities overlaid with matching techniques across all tactics.
Security performance by industry
Top vulnerabilities by framework
An organization that is maturing its security program should ensure it meets three key principles:
Organizations can get ahead of their adversaries through routine testing.
Strategic planning – Align security programs with the objectives of the company.
Risk management – Maintain operational agility through risk treatment.
Products & applications – Protect the technologies that power the business.
Threats & vulnerabilities – Continuously monitor systems and applications for susceptibility to threats.
Technical infrastructure – Build and manage a secure and robust systems and network architecture.
Physical security – Integrate cross-functional security response processes.
Human resourcing – Ensure the company has sufficient levels of well trained staff of high integrity.
Resilience & recovery – Engineer systems for scalability and redundancy.
Privacy & data safeguards – Construct controls and governance process to maintain data security now and in the future.
Identity & access – Manage access on a strict need-to-know basis while supporting company priorities.
Leadership & culture – Establish a unified team driving security from the top down.
Governance & compliance - establish processes to provide visibility across business units and implement continuous compliance.
Click each stage for a brief description
Download this chart
Share with a friend
Thank you for unlocking Coalfire's 3rd Annual Penetration Risk Report, presented in an all-digital format. Because of the high volume of data available in the report, it is best viewed on a desktop or laptop computer. If viewing on mobile, please rotate your phone to landscape and allow the page to load. A link has been sent to your email, so the report is accessible at any time.
Large Enterprises are 46% more likely to suffer a breach than Large Cloud Providers.
2018 2019 2020 Internal
2018 2019 2020 External
2018 2019 2020 Applications
3 ANNUAL PENETRATION RISK REPORT
Need gated variation of intro – Welcome to Coalfire’s newest Securealities report on penetration risk. With three years of data regarding cybersecurity, several alarming trends are emerging that indicate systemic weaknesses in overall security posture for many organizations, leaving some at risk of a breach or other exposure. Our data results show that year-over-year, organizations struggle with the same vulnerabilities across all attack vectors. Is your company at risk and, more importantly, what can you do about it? Check out our top seven high-level findings and then read on for detailed takeaways plus our top seven recommendations to overcome these recurring risks and harden your security environment
Top Seven Findings
We looked at the data from many angles. Here are the highlights from each area of our analysis.
OVERALL VULNERABILITY
Major turnaround for application security.
61% of phishing engagements resulted in a full compromise.
Companies slow to move.
Enterprises have improved only4% in a year-over-year comparison across all industries.
4%
State and local governments fail to keep up.
by industry
The state/local government sector is 3x more likely to expose sensitive data.
BY FRAMEWORK
Mark Carney Video Title
Mark Carney video – lorem ipsum dolor sit amet, consectetuer adipiscing elit, sed diam nonummy nibh euismod tincidunt ut laoreet dolore magna aliquam erat volutpat. Ut wisi enim ad minim veniam, quis nostrud vWe looked at the data from many angles. Here are the highlights from each area of our analysis.
Unlock insights and improve your security posture now.
Mark Carney video – lorem ipsum dolor sit amet, consectetuer adipiscing elit, sed diam nonummy nibh euismod tincidunt ut laoreet dolore magna aliquam erat volutpat. Ut wisi enim ad minim veniam, quis nostrud