STUDY: Website Vulnerability Assessment

FEELING VULNERABLE? YOU SHOULD BE. VULNERABILITY ASSESSMENT

p. 2
Symantec Website Security Solutions
Vulnerability Assessment 2013
Feeling Vulnerable? You should be 3 - 4
Summary of Research 5
Did you remember to lock the door? 6
Filling the information vacuum 7
Quantifying the risks 8
Which countries are most vulnerable? 9
France: Highly secure, but least examined 10
Germany: Forewarned is forearmed 11
Sweden: Not so blissfully unaware 12
Bridging the vulnerability gap 13
References 14
CONTENTS

p. 3
2011’s security breach at Sony’s
PlayStation Network is thought to
be the largest data security leakage
ever and was so damaging its
effects are still being felt today - in
January 2013 the UK Information
Commissioners Office (ICO) fined
Sony Computer Entertainment
Europe £250,000 ($396,100)
following what was described
as a ‘serious breach’ of the Data
Protection Act. The ICO’s report
concluded that the attack “could
have been prevented” if Sony’s
security had been up-to-date.
After an infection of 10 of its servers, over 75 million
of Sony PlayStation Network’s global customer
account details were stolen. Questions were raised in
parliaments worldwide, lawsuits were launched and
user access to the online network was blocked for over
a month. However this was not an isolated incident; in
2012, Symantec technology scanned over 1.5 million
websites as part of its Website Malware Scanning and
Vulnerability Assessment services. Well over 130,000
URLs were scanned for malware each day, with 1 in
532 of websites found to be infected with malware.
Additionally in assessing potentially exploitable
vulnerabilities on websites, over 1,400 vulnerability
scans were performed each day. Approximately 53
per cent of websites scanned were found to have
unpatched, potentially exploitable vulnerabilities of
which 24 per cent were considered to be critical. Clearly
vulnerabilities can be exploited resulting in significant
and public security failing and resultant loss of trust,
but according to recent Symantec research1, similar
vulnerabilities could exist inside your company, the
problem is that most companies just don’t know.
Criminals are constantly looking for new vulnerabilities
or weaknesses in websites and as the Sony example
shows they often have high levels of success. Malware
infections or exploited vulnerabilities could significantly
impact the safety of customer information so that, before
your business has time to react, your public-facing
website could be infected and blacklisted by search
engines, customer trust could be compromised whilst
the clean-up in the aftermath of an attack could wreak
havoc with your brand. With today’s increasingly
smart malware infections and consequent online data
loss, your business must do more than simply react to
website security issues.
FEELING VULNERABLE? YOU SHOULD BE.

p. 4
Symantec surveyed 200 IT professionals in all sizes of
business across four European countries to find out how
much they know about their exposure to threats and
what they are doing to improve that knowledge. Nearly a
quarter admit they don’t know how secure their websites
are, yet more than half of respondents admitted
they have never carried out a website vulnerability
assessment.
While respondents generally ranked the likelihood of
their websites suffering from specific vulnerabilities as
low, Symantec’s own experience is that more than 24%
have critical vulnerabilities2. Malware infection, one of
the biggest emerging security threats, often comes as
a direct result of website vulnerabilities. According to
Symantec’s most recent Website Security Threat Report3,
403 million unique types of malware were discovered in
2011, making it clear that if a website has a vulnerability
it will be exploited. Vulnerability assessments can fill
the information vacuum – not only pointing to where
vulnerabilities exist but also to the corrective action that
is required to fix them.
In addition, assessment is not just a one-off; the survey
shows that organisations’ confidence in their website
security is higher among those who repeat assessments
every month than those who haven’t repeated scans.
Not surprisingly, larger companies are more aware
of the risks and more likely to conduct and regularly
repeat vulnerability assessments. However, according
to Symantec’s 2013 Website Security Threat Report4,
it’s a mistake to assume that only large companies
are targeted by attacks; the report shows a significant
number of smaller companies (31%) are being pursued.
Larger companies will naturally gravitate towards more
in-depth assessments, but smaller companies also
clearly need to get a better picture of not only what their
overall exposure is, but also what specific risks they face.
FEELING VULNERABLE? YOU SHOULD BE.
There were
5,291 vulnerabilities
reported in 2012
compared with
4,989 vulnerabilities
reported in 2011

p. 5
0% 30% 52% 14% 4%
0% 36% 27% 14% 27%
Not Secure Reasonably Secure Very Secure Totally Secure Don’t Know
EVERY MONTH
NOT AT ALL
Those who conduct regular vulnerability assessments have
much better visibility into their website security
SUMMARY OF RESEARCH5
Nearly a quarter
of IT managers don’t
know how secure
their website is
2% - not secure
27% - reasonably secure
33% - very secure
23% - don’t know
15% - totally secure

p. 6
In our survey of 200 IT managers, nearly a quarter
(23%) admit they simply “don’t know” how secure
their website is. Among smaller companies with 1-499
employees, this figure rose to 30% - nearly a third of
SMEs have no insight into their website security.
While only 2% admit to any vulnerabilities and a third
(33%) assume their websites to be very secure, only
15% overall say they are “totally secure”. Only half of
respondents (48%) rank their website very/totally secure
compared to nearly three quarters (74%) in the US.
Without a better understanding of vulnerabilities, it’s
difficult to say what the impact of security gaps are. But
with malicious attacks skyrocketing by 81% in 20116,
it’s fair to assume vulnerabilities will lead to attacks.
Only 19 companies in the survey admitted to internet
security breaches in the past six months, although
three of these reported a major impact from the breach.
However, the majority of internet security breaches go
unreported or undetected, so it may be that cybercrime
is happening without companies knowing.
Assuming that a company website is secure is a
dangerous game. Symantec’s own research from
carrying out its free vulnerability assessments shows
that around a quarter of company websites suffer
from critical vulnerabilities7. For smaller companies,
assuming that the bigger brands will be the target
of attacks is wrong; 17.8% of attacks are targeted
at companies with less than 250 employees as
cybercriminals go after smaller companies so their
activities are less likely to be detected8.
What we can certainly say is that without a substantive
approach to layered security, websites are open to attack.
Similarly, without some information on what a
website’s vulnerabilities are, it’s impossible to
understand the seriousness of the threat and the risks
an organisation faces.
DID YOU REMEMBER TO LOCK THE DOOR?
Website security has never been more important, yet companies across
Northern Europe appear to have a huge gap in their understanding, and
a critical exposure to possible security breaches.
never In the last year In the last 6 months In the last month
UK FR SE DE
15% 14% 12%
10%
16% 14%
22%
8%
16%
56%
64%
53%
20%
26%
12%
42%
More than half have never conducted a vulnerability assessment
on their website

p. 7
0% 30% 52% 14% 4%
0% 36% 27% 14% 27%
EVERY MONTH
NOT AT ALL
When did you last conduct a vulnerability assessment on your website
and what were your findings?
Regular vulnerability assessments are
the means by which organisations fill
the gaps in their understanding about
website security.
More than half of respondents (53%) have never conducted
a vulnerability assessment, perhaps because of low
awareness of the growing problem of malware. 15% of
respondents have conducted a vulnerability assessment in
the last month, 16% in the last 6 months and 16% in the last
year. The majority of those who have conducted assessments
tend to repeat the exercise. 52% of respondents who
conducted assessments repeated the exercise in the last 12
months and a quarter say they repeat them regularly.
Larger companies are more likely to have conducted an
assessment recently (21%), although far more medium-sized
companies (with 500-999 employees) have never
conducted an assessment (67%). Likewise, of those who
have conducted assessments, larger companies are more
likely to repeat the exercise, with 37% of the 30 companies
repeating them every month.
There’s a very low adoption of automated scanning for
vulnerability assessment, perhaps because in the case of
the complimentary Symantec service, it’s only recently
launched. Just 6% of those who have conducted an
assessment used this method, while half (50%) used a
third party and 44% did an internal assessment.
The impact of conducting vulnerability assessments is
clear. More than a quarter (27%) of those who never
conducted assessments admit they simply don’t know
how secure their website is, compared to 23% overall.
Conversely, those who have conducted assessments have
greater confidence in their website security. Only 4% of
this group don’t know how secure their website is.
Arming yourself with information about website vulnerabilities
is of course just the first step – but in itself it may make you
more aware of the risks you are prepared to take. A high
number of those who conduct assessments regularly say their
websites are very secure (52%), and nearly a third of this
group (30%) say they are reasonably secure.
FILLING THE INFORMATION VACUUM

p. 8
In an information vacuum, it’s hardly
surprising that IT managers rate
their likelihood of suffering various
vulnerabilities as low. With over
half of respondents never having
conducted vulnerability assessments,
they can only guess at the likelihood
of their websites suffering from
different vulnerabilities.
Nonetheless, there was a big difference between
respondents’ expectations about the vulnerabilities
their websites might have, and Symantec data on the
vulnerabilities that websites typically suffer from.
In order, the most likely vulnerabilities rated by
our respondents were:
• Brute force attack (20%)
• Authorisation vulnerabilities (19%)
• Information leakage (15%)
• Cross-site request forgery (15%)
• Content spoofing (14%)
• Cross-site scripting (13%)
Cross-site scripting, the least likely vulnerability
according to our survey, is one of the most likely
according to Symantec’s own research. Nearly a
third (32%) of respondents admit they don’t know
if they might have this vulnerability.
Information leakage is also rated as a low likelihood.
Nearly half (49%) say it’s unlikely they suffer from
this vulnerability, while in reality, data breaches
are an increasingly common occurrence. The
aforementioned Sony PlayStation breach is clear
evidence of this.
Our survey rates brute force attacks the most likely
vulnerability, (20% rate it likely or most likely),
with respondents imagining physical infrastructure
weakness outweighs virtual risks.
Authorisation vulnerabilities were ranked likely or
most likely by just 19% but this was the most common
breach that actually occurred according to our survey,
with 6 respondents citing it as the most serious breach
they had experienced in the last six months.
Discrepancies between the expectations of respondents
and what is happening in reality further highlights the
vulnerability knowledge gap. Organisations need to get
a better grip on the risks they face. Without a better
grasp of their actual exposure to risks, they cannot act
to improve their website security.
QUANTIFYING THE RISKS
32% 37%
18%
9%
4%
Don’t
Know
Most
likely
Least
likely
Please rate the likelihood that
your website suffers from
cross-site scripting?

p. 9
UK: Secure, or Not Sure?
Many UK organisations think that
their websites are relatively secure
and that they don’t suffer from
vulnerabilities, but half of the
respondents to our survey don’t
conduct vulnerability assessments,
so it’s difficult to see where their
confidence comes from.
UK organisations are average in their ranking of their
website security, with 48% ranking them very or totally
secure – exactly the same percentage as the average
across all four countries. Around the same as the average
(24%) also answered “don’t know” when asked how
secure they considered their website to be. However, a
higher number than average, and the highest number
out of all the markets surveyed (20%), considered their
websites to be totally secure.
The UK rates the likelihood of having each of the
vulnerabilities lowest of all the countries – in three of
the six categories (see page 8 for list of categories), more
organisations in the UK than in any other country ranked
themselves least likely to have a vulnerability, and in
the other three, they had the second most organisations
ranking themselves least likely.
The UK also has a higher number of organisations than
other countries in three categories admitting they “don’t
know” whether they have specific vulnerabilities. Cross-site
scripting is a good example, where 40% say they are
least likely to suffer from this vulnerability, while 48% say
they don’t know.
The UK is split 50-50 on those who do and do not conduct
vulnerability assessments and has more than the average
who repeated assessments in the last 12 months (56%); it
also reports the lowest number of breaches.
Clearly, organisations in the UK are polarised in their
opinions between those who conduct assessments
regularly, patch any holes they find and consider
themselves highly secure, and those who don’t conduct
assessments and aren’t sure what their exposure is.
WHICH COUNTRIES ARE MOST VULNERABLE?
0% 28% 28% 20% 24%
A fifth of UK companies consider their website to be totally secure

p. 10
Very
Secure
Totally
Secure
Don’t
Know
FR AVERAGE FR AVERAGE FR AVERAGE
42%
52%
8%
33%
48%
23%
A high number of French organisations consider their
websites to be very secure (42% versus an average of
33%) and a higher than average number are in the upper
quartile of very/totally secure (52% versus an average of
48%). Only a very small number (8% versus an average of
23%) said they don’t know how secure their websites are.
However, French organisations have the highest likelihood
scores across five out of six categories of vulnerability
and were the least confident in vulnerability scores of
the four countries surveyed. Their top risks were for
cross-site request forgery (where 34% of organisations
ranked themselves likely or most likely to suffer from
the vulnerability), brute force attacks (32%) and
authorisation vulnerabilities (28%).
Low numbers in every category said they don’t know how
likely their websites are to suffer the vulnerability – 8% or
less in every category versus average percentages across
all four countries of around 30%.
France had the highest number of respondents,
nearly two thirds (64%), who have never conducted a
vulnerability assessment, but among those who have
conducted an assessment the country has the second
highest number (44%) using internal assessments.
39% of the organisations that did conduct assessments
repeated them every month.
French organisations need to arm themselves with more
data on the specific vulnerabilities their websites suffer
from. When questioned, higher numbers than other
countries fear that they have problems; assessments
will either help quantify those fears, or help back up the
assumption that website security is strong in France.
FRANCE: HIGHLY SECURE, BUT LEAST EXAMINED
On first inspection, French organisations appear confident in their website
security. However, on further examination they admit they don’t really
know about specific vulnerabilities as more than the average don’t conduct
vulnerability assessments.
A high number of French organisations consider their websites
to be very secure

p. 11
38%
we use 3rd party
assessments
69%
WE USE INTERNAl
assessments
3%
WE use
automated scans
14%
OTHER
Germany has the highest proportion of respondents
who consider their websites very secure and more than
the average who admit they don’t know. 44% of the 50
organisations surveyed think their websites are very
secure, rising to 56% when combined with those rating
them totally secure. However, a relatively high 28% admit
not to know how secure their websites are, compared to
the average of 23%.
German companies have fairly high likelihood scores
across several vulnerability categories but also higher
numbers who replied “don’t know”. In three of the six
categories (cross-site scripting, information leakage
and authorisation vulnerabilities) they have the highest
number of organisations who rank themselves likely or
most likely to suffer from the vulnerability.
However, in another category, cross-site request forgery,
a massive 60% admit they don’t know whether their
websites might suffer from the problem.
Generally, though, Germany shows a high level of
awareness of the risks and this is no surprise as it has
the largest number of organisations who have conducted
vulnerability assessments in the last month (20%) and
the last six months (26%), and also the lowest number
of companies who have never conducted an assessment
compared to other markets (42%). That still leaves a total
of 58% of German respondents who have conducted
assessments within the past year, compared to an average
across all four countries of 47%.
Assessments are mostly carried out internally, with a
massive 69% internal versus the average of 44%. German
organisations also own up to a higher number of breaches
(16% - 8 respondents) than any other country.
This is generally a better informed and more prepared
country than others in Northern Europe. The remaining
organisations who have not conducted assessments now
need to catch up with their peers.
GERMANY: FOREWARNED IS FOREARMED
Germany stands out as the country with the most activity on vulnerability
assessments, as well as the best-informed picture of how secure their
websites really are.
German companies have conducted the most assessments in the last
month and six months, and have the least number who have never
conducted an assessment

p. 12
In contrast to Germany, where
organisations appear well-informed,
Swedish organisations own up to a
poor understanding of the risks their
websites are running.
Swedish organisations score themselves lower than in
any other country for websites that are very or totally
secure (38%). They fall 10 percentage points below
the overall average for websites that are in this upper
quartile. However, 32% say they don’t know how secure
their websites are, compared to an average across all four
countries of 23%.
This lack of information carries across into the question
on specific vulnerabilities where Swedish organisations
have some of the highest “don’t know” scores across
all the vulnerabilities. In three of the six categories
(information leakage, content spoofing and authorisation
vulnerabilities) they have the highest number of
organisations that admit they don’t know whether they
suffer from vulnerabilities.
At the same time, their likelihood scores for all
vulnerabilities are fairly low, with information leakage
ranked highest with a 16% very/most likely rating.
The lack of information can hardly come as a surprise –
only 22% had conducted a vulnerability assessment in the
last month or six months – the lowest number in any of
the four countries. A higher than average 56% had never
conducted an assessment. Of those who did conduct
assessments nearly a third (32% versus an average 23%)
never repeated the exercise.
Without information Swedish companies cannot quantify
their exposure, or act on the specific risks they face. Some
simple steps such as automated scanning can set them on
the right path to filling in the gaps.
SWEDEN: NOT SO BLISSFULLY UNAWARE
12% 10%
22%
In the
last month
In the
last 6 months
In the
last year
never
56%
Only 22% of Swedish companies had conducted a vulnerability
assessment in the past month or six months

p. 13
In contrast to Germany, where
organisations appear well-informed,
Swedish organisations own up to a
poor understanding of the risks their
websites are running.
Our survey of 200 organisations across northern Europe
has identified a serious lack of information about
website security and the vulnerabilities that websites
could be suffering from. But what’s the impact of this
gap in knowledge around vulnerabilities? And how can
organisations go about filling the gap?
While there were a low number of respondents to our
survey admitting to security breaches, and incomplete
data on the type of breaches, several of those who did
suffer breaches admit they have had a major impact. 9%
of organisations overall (19 organisations) say they have
suffered a breach in the last six months.
Larger organisations were much more likely to admit to
having suffered a breach in the last six months. More
than a fifth (21%) of the 58 companies with more than
1,000 employees admitted that they had been breached.
The lack of data on breaches is not a surprise as most
website security breaches go unreported or unnoticed.
With legitimate websites infected with malware - a
growing problem on the web - cybercriminals could
be infecting sites, syphoning off user details, or
even conducting fraudulent transactions without
organisations ever knowing.
Symantec’s Website Security Threat Report identified
that 61% of malicious sites are actually genuine
websites that have been compromised and infected with
malicious code. The most serious breaches identified
by our respondents were authorisation vulnerabilities,
followed by e-mail intrusion, then content spoofing. But
six organisations did not want to share the nature of
their most serious breach.
So how can you determine whether your website
has been compromised, or is suffering from critical
vulnerabilities that could lead to it being compromised?
If you don’t have the budget or the inclination to go
through a full internal or third-party assessment of
your website’s vulnerabilities, an automated remote
scan is a perfect starting point in the vulnerability
discovery process. In Symantec’s case, it comes free with
the purchase of most SSL certificates9. The scan can
determine the existence of critical vulnerabilities that
allow cybercriminals to access sites to insert malware
and access confidential customer data.
The scan will also provide an actionable threat report
pointing to simple remedial measures such as upgrading
software or security, or improving user education or
guidelines.
BRIDGING THE VULNERABILITY GAP

p. 14
1. All information contained in this report comes from IDG Connect research, conducted in October 2012 on behalf of Symantec,
of 200 IT Professionals across four European territories – UK, France, Germany and Sweden.
2. See Symantec’s Internet Security Threat Report
http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_2011_21239364.en-us.pdf
3/4/5. Download the Website Threat Report PT1: https://www.symantec-wss.com/campaigns/14385/uk2/social/assets/symantec-WSTR1-UK.pdf
Download the Website Threat Report PT2: https://www.symantec-wss.com/campaigns/14385/uk2/social/assets/symantec-WSTR2-UK.pdf
6. All information contained in this report comes from IDG Connect research conducted in October 2012, on behalf of Symantec,
to 200 IT Professionals across four European territories – UK, France, Germany and Sweden
7. Between October 2011 and the end of the year, Symantec identified that 35.8% of websites had at least one vulnerability and 25.3%
had a least one critical vulnerability. Symantec Internet Security Threat Report, as above
8. Symantec Internet Security Threat Report, as above
9. Symantec offers free vulnerability assessments to Extended Validation Secure Sockets Layer (EV SSL), Secure Site Pro and
Secure Site Pro certificate customers. All Symantec SSL certificates and Secured Seal products offer a free daily Malware scan.
REFERENCES

SolutionsWebsite Security Threat Report 2013ABOUT SYMANTEC
Symantec Website Security Solutions include industry leading SSL, certificate management, vulnerability assessment and malware scanning. The Norton™ Secured Seal and Symantec Seal-in-Search assure your customers that they are safe from search, to browse, to buy.
More information is available at www.symantec.co.uk
For more information on vulnerability assessments visit:
www.symantec.com/en/uk/page.jsp?id=ssl-resources

FOLLOW US
For specific country offices and contact numbers,
please visit our website.
For product information in the UK,
Call: 0800 032 2101 or +44 (0) 208 6000 740
Symantec UK
Symantec (UK) Limited. 350 Brook Drive, Green Park,
Reading, Berkshire, RG2 6UH, UK.
www.symantec.co.uk/ssl
Copyright © 2014 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Circle Logo and the Norton Secured Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be
trademarks of their respective owners.

STUDY: Website Vulnerability Assessment

Related slideshows

More Related Content

STUDY: Website Vulnerability Assessment