Manufacturers and utilities score highest, while e-commerce companies finish last.
How can you protect yourself against hackers? A social engineer from IBM offers advice
Stephanie “Snow” Carruthers, Chief People Hacker at IBM, gives advice on protecting yourself online. She also explains how the robocalls and spoofing process works.
Manufacturers are the fastest able to patch software vulnerabilities and defend themselves against cyber attacks, according to a new report from Synack. The two-part report also argues for combining artificial intelligence and human intelligence to enable security teams to work on a scale.
In “The 2019 Trust Report Volume 1: Trust has a number,” Synack calculated an Attacker Resistance Score based on the company’s database with penetration test performance data.
The average score for attack resistance for each industry is:
- Production and critical infrastructure – 65
- Financial services – 61
- Federal government – 57
- Healthcare – 56
- Retail trade – 54
- Technology – 53
- Consulting, business and IT services – 50
- State and local governments and education 49
- E-commerce – 45
Synack found in all sectors that 63% of the vulnerabilities were closed within three months. Manufacturing companies and critical infrastructure companies repair vulnerabilities 57% faster than other industries.
The Synack report showed that financial service providers have considerably fewer vulnerabilities in terms of authorization permissions than average.
SEE: Special report: Cyberwar and the future of cyber security (free PDF)
However, there is still room for improvement, since Synack has found 150% or more breachable vulnerabilities, such as SQL Injection, with financial service providers and federal government agencies than the industry average. Synack found 10% more XSS vulnerabilities in e-commerce than other industries.
The attack resistance score includes these measurements:
- Attack Costs – the level of effort of the Synack Red Team to penetrate the attack surface
- Severity of findings – the severity and amount of vulnerabilities discovered in an asset
- Remediation efficiency – the speed of the patch process
Synack offers “crowdsourced penetration testing”, which means that the Red Team of cyber security investigators is attacking a specific target identified by the client to find security issues. Synack’s customers are organizations in the Global 2000, fast-growing sector companies and government institutions.
Synack explains the research methodology for calculating attack costs, the severity of the findings and the efficiency of remediation in the report attachment.
The attacker’s input is calculated using the complete package registration data collected by Synack secure gateway technology. The raw test traffic data describes all Synack Red Team test activities for a particular assessment. For the severity of the measurement results, Synack assigns each detected vulnerability an assessment on a CVSS scale of 0–10. Synack measures the effectiveness of the patch and the application time to estimate the efficiency of the remediation.
The missing element is the amount of data that Synack has analyzed. The company will not specify the number of security tests on which the report is based beyond “many thousands.” It is difficult to evaluate the Attacker Resistance Score without that context.
Use AI for basic security tasks
In part 2 of the Confidence on Scale Confidence Report, Synack owes its success to the company’s enhanced intelligence strategy, combining human intelligence and artificial intelligence to identify vulnerabilities.
Synack describes the purpose of “improved intelligence” as making people more efficient and effective, and not creating a system that works without people. In this optimal combination, people are responsible for creativity and critical thinking, while machines process large amounts of data
By including an AI component in a security solution, the algorithm can:
- Identify the most common types of security risks
- Analyze cyber security data with higher accuracy
- Monitor evolving security threats and anomaly detection to build a threat landscape
Synack reports that security teams combining people and artificial intelligence to perform penetration testing can find vulnerabilities more quickly, cover a wider attack area and reduce the time needed to address vulnerabilities. The combination is important because “security risks and threats always evolve and AI does not excel in higher-order tasks.”
Chase C. Cunningham, an analyst at Forrester Research, said using AI to increase people and improve the operational capacity of cyber security is the most directly applicable use case for AI systems on the market.
“We don’t have enough people today to do the work, and in most cases, the answers that people who work in cyber security functions need can be automated or expanded to increase effectiveness and output,” he said.
Cunningham said that there are few AI tools on the market that are well aligned with data security.
“The weaknesses that we see in the AI tooling on the market are, above all, that the systems are not doing so well when trying to ‘learn’ beyond the boundaries of properly structured and repetitive analyzes and answers,” he said. “What we see in this space is really well tailored and applied machine learning for specific usage scenarios.”
Cyber Security Insider Newsletter
Strengthen the IT security of your organization by staying up to date with the latest news, solutions and best practices for cyber security.
Delivered on Tuesday and Thursday
Register today
Also see
Synack analyzed data from security tests to create Attacker Resistance Scores. In the graph above, an incident is a security event that endangers the integrity, confidentiality, or availability of an information item. A breach results in the confirmed disclosure – and not just potential exposure – of data to an unauthorized party.
Image: Synack
