Dangerous misconceptions about emerging cyber threats

Organizations are leaving common attack paths exposed in their quest to combat emergent threats, according to Cymulate.

The most concerning cyber threats

The report delves into the efficacy of different security controls, the most concerning threats as tested by organizations worldwide, and top cybersecurity best practices for 2023.

Report key takeaways include:

Many organizations are testing for trending threats

Organizations are actively testing against threats seen in the news, likely from pressure to report on their exposure risk to emergent threats. This is a good, up to the point where it takes away from assessing threats and exposures that are more likely actively targeting the business.

Businesses that used scheduled and full kill-chain testing demonstrated the broadest testing coverage and the most in-depth validation when they added advanced scenario testing to their programs.

Industry-wide security issues remain unaddressed

40% of the top 10 CVEs identified most by Vulnerability Management platforms were over two years old yet remain unpatched. A significant number of organizations are not testing against more widely recognized threats such as ProxyNotShell and Emotet that continue to persist and are apt to cause the most harm if not remediated.

Data exfiltration risk on the rise

Jumping from 30 to 44 in 2022, the average data exfiltration risk score has worsened considerably. Network and Group Policies have had a positive impact on prevention of data exfiltration, which has driven attackers to resort to alternative exfiltration methods.

Domain and email security

In 2022, the top 10 exposures detected by Cymulate’s EASM module showed most detected exposures were spread across domain security (59.3%) and email security (32.8%).

Understanding your organization’s security posture

When comparing the anonymized data between the first Endpoint Security assessment completed and the most recent assessments completed, significant improvements in risk reduction were seen when BAS testing was regularly performed. The improvements were seen consistently across customers of various industries and sizes.

“It’s understandable that organizations want to protect themselves against the major threats making headlines today,” said Carolyn Crandall, Chief Security Advocate for Cymulate.

“But the findings of the Cybersecurity Effectiveness Report underscore the fact that many attackers aren’t using advanced new strategies—they’re continuing to find success using known tactics. Organizations need to shift their vulnerability management strategies to address these gaps by implementing Attack Surface Management tools for exposure assessment, Breach and Attack Simulation for security control efficacy validation, and Continuous Automated Red Teaming for more frequent penetration testing,” concluded Crandall.

“Organizations must understand their security posture to identify vulnerabilities and protect against emerging cyber threats,” said David Neuman, senior analyst at TAG Cyber. “Cymulate’s release of findings from over one million security assessments and 1.7 million hours of testing provides valuable insights into common weaknesses and areas for improvement in cybersecurity. This data highlights the need for continuous security testing and risk assessments to stay ahead of emerging cyber threats.”