“Until you have experienced something like this, you don’t realize just what can happen, just how serious it can be.” — Soren Skou, Maersk’s CEO
As we have seen over time, cyberattack events are on the rise, and postponing remediation can lead to destructive consequences. Major information compromised, often millions of dollars in payment, and the loss of sales and customers are just a few examples of the business impact of cyberattacks in the age we’re living in.
Between 2019 and 2020 alone, ransomware attacks increased by 62% according to SonicWall’s recent report. With one cyberattack every 1.12 seconds (according to The Internet Crime Complaint Center’s 2020 report), companies are raising questions about why cyberattacks are occurring more frequently and how to better guard against them.
Where vulnerabilities are left undiscovered and unremediated, the door is left open for cyberattackers to compromise sensitive information and exploit weaknesses. The March 2017 Equifax breach is just one example of a destructive security breach, which led to:
- Personal information from 148 million people exposed
- A record-shattering $700 million FTC settlement
- $1.4 billion spent remediating the cybersecurity incident
The breach occurred because of a known Apache vulnerability that had a patch available but was not implemented, allowing attackers to infiltrate and cause damage when it was too late.
“This was not a crazy technical problem that lacked a solution. The technical solution was available; this was a lack of people and process innovation.” — Caroline Wong, Cobalt’s Chief Strategy Officer
Before looking ahead at how to fix and prevent the most common vulnerabilities, let’s take a look at a few high profile cyberattacks of 2020/2021:
Recent High Profile Cyberattacks
Oracle BlueKai - June 2020
Oracle’s BlueKai is a data management platform that tracks web activity and uses data to fuel a personalized marketing experience. Due to a server that was left unsecured, billions of records were exposed last June, resulting in an outpour of easily accessible customer data.
Twitter - July 2020
Hackers compromised over $118,000 worth of bitcoin in the infamous social engineering attack on Twitter. The cybersecurity incident exposed the vulnerability of the major global social media platform, and according to the Twitter Investigation Report, “it was surprising how easily the Hackers were able to penetrate Twitter’s network and gain access to internal tools allowing them to take over any Twitter user’s account.”
Düsseldorf University Hospital - September 2020
A ransomware attack jeopardizing patient healthcare information at Düsseldorf University Hospital last September turned into a life-threatening situation. A woman in need of emergency treatment was rerouted due to a cyberattack, causing the first known death at a hospital directly tied to a cyber attack. “The incident is clearly an important reminder, though, of the real-world impacts of ransomware attacks on health care facilities and any critical infrastructure,” according to The Worst Hacks of 2020, a Surreal Pandemic Year.
SolarWinds - December 2020
When hackers broke in and added malicious code to the company’s software system called Orion, this created an in to discover detailed sensitive information and left clients vulnerable for months. The major IT firm SolarWinds fell victim to this cyberattack that spread from the company to its client base of over 33,000 who were using Orion at the time.
Facebook - April 2021
Over 533 million Facebook users were subject to exposed personal information, including birthdates, full names, email addresses, phone numbers, and more after a vulnerability from the year prior. “The vulnerability uncovered in 2019 allowed millions of phone numbers to be scraped from Facebook's servers in violation of its terms of service,” according to this Insider article.
Colonial Pipeline - May 2021
The Colonial Pipeline is the largest pipeline system for refined oil products in the U.S., controlling copious amounts of gasoline, jet fuel, and diesel along the East Coast. In more recent news, the pipeline went down due to a cyberattack that caused major shortages and price spikes across the United States, along with a ransom demand.
A commonality of the major cyberattack events over time is the fact that companies were unaware of their vulnerabilities that attackers were then able to exploit. With that in mind, findings from The 2021 State of Pentesting report concluded that the top 5 most common vulnerability categories have remained the same every year since 2018. The State of Pentesting report analyzes data from Cobalt’s Pentest as a Service (PtaaS) platform, and the report looks closer at the types of tests performed and the types of security issues Cobalt Core pentesters found in 2020.
The State of Pentesting not only highlights the top vulnerabilities, but the report also shares insights into how prevention and remediation workflows can improve to strengthen security. See how pentesting can evolve as a layer of defense to better guard against cyberattacks. Download the full The State of Pentesting 2021 report for a deeper look into the most common types of vulnerabilities based on 1,600+ pentests conducted through Cobalt’s Pentest as a Service (PtaaS) platform.