In light of COVID-19 precaution measures, we remind that all ImmuniWeb products can be easily configured and safely paid online without any human contact or paperwork.

Total Tests:
Stay in Touch

Weekly newsletter on AI, Application Security & Cybercrime


Your data will stay confidential Private and Confidential

State of Cybersecurity Industry Exposure at Dark Web

Tuesday, September 8, 2020 By Read Time: 9 min.

97% of the leading cybersecurity companies have had their data exposed on the Dark Web in 2020, with over 160,000 high or critical incidents that may jeopardize their clients.


State of Cybersecurity Industry Exposure at Dark Web

Table of Content

Introduction

Last year, we conducted and published several exploratory researches welcomed by international media and the global cybersecurity community:

In light of the rapidly growing sophistication and quantity of cyber-attacks targeting trusted third-parties in the last 12 months, and following a number of requests and suggestions from our valued clients and partners, we decided to run exploratory research on the global cybersecurity industry to illuminate and measure its exposure on the Dark Web in 2020.

A survey by the Ponemon Institute says that 59% of companies had a data breach due to compromised third parties including cybersecurity vendors. Recent research, published in July 2020 by Digital Shadows, estimates that there are over 15 billion stolen records from over 100,000 data breaches currently available for sale.

A few weeks ago, a report from Malwarebytes suggested that Working From Home (WFH) causes a surge in security breaches. To better understand the multifaceted challenge, Forrester provides an insightful report on how insiders use the Dark Web to sell corporate data.

This research purports to help better understand the emerging risks and modern threat landscape both in qualitative and qualitative aspects, and to help cybersecurity companies better prioritize and address emerging cyber risks.

Key Findings

Below are the key findings about the leading global cybersecurity companies:

  • 97% of companies have data leaks and other security incidents exposed on the Dark Web
  • 631,512 security incidents were found whereas 160,529 are of a high or critical risk levels
  • 29% of stolen passwords are weak, employees from 161 company reuse their passwords
  • 5,121 records with professional emails come from hacked porn or adult dating websites
  • 63% of the cybersecurity companies’ websites do not comply with PCI DSS requirements
  • 48% of the cybersecurity companies’ websites do not comply with GDPR requirements
  • 91 companies had exploitable website security vulnerabilities, 26% are still unfixed

Covered Cybersecurity Companies

We tried to make our sampling of global cybersecurity companies as representative, reasonably diversified and inclusive as possible to ensure generalizability of the findings.

For the purpose of this research, we compiled our list of the leading cybersecurity companies around the globe from the following independent sources:

  • Crunchbase - Attendees of RSA Conference 2020 – 546 companies
  • SecurityTrails - Top 100+ Best Security Companies in 2020 – 419 companies
  • Cybersecurity Ventures - the Hot 150 Cybersecurity Companies – 150 companies
  • The Manifest - Top 100 Cybersecurity Companies – 126 companies
  • OWASP - Corporate Sponsors and Supporters – 78 companies

In total, we collected 1,319 cybersecurity companies and organizations. After the removal of duplicates from the list, we ended up with 1,040 entities.

Then we removed all entities that cannot be classified as a cybersecurity company (e.g. organizations like NIST or global companies like Panasonic whose involvement in cybersecurity business is insignificant).

We also removed all companies with an Alexa Rank above 500,000 to ensure that only sufficiently large companies remain in the research.

Finally, we ended up 398 cybersecurity companies headquartered in 26 countries. Unsurprisingly, most of them are domiciled in the US and Europe:

HQ CountryNumber of Companies
USA294
United Kingdom20
Israel16
Canada14
Japan11
Germany7
Ireland5
India4
Russia3
Switzerland3
Finland2
Singapore2
China2
Romania2
Taiwan2
Belgium2
France2
Czech Republic1
Slovakia1
The Netherlands1
Spain1
Malta1
Italy1
Portugal1

We used company size classification provided by LinkedIn. The following company sizes figure among the 398 cybersecurity companies:

Number of Employees% of Companies
10,001+11%
5,001-10,0005%
1,001-5,0009%
501-1,00013%
251-50017%
101-25021%
51-10013%
11-5011%

We also used annual income classification provided by CrunchBase. The following are estimated annual revenues figures among the 398 cybersecurity companies:

Estimated Annual Revenue% of Companies
$10B+1.7%
$1B to $10B7.3%
$500M to $1B2.8%
$100M to $500M11.2%
$50M to $100M12.4%
$10M to $50M23.6%
$1M to $10M27%
Less than $1M14%

Data Sources and Methodology

For the purpose of this research, we unified the concepts of Dark Web, Deep Web and Surface Web and jointly refer them as Dark Web.

To search for and identify security incidents available on the Dark Web, we leveraged our free online test to discover and classify Dark Web exposure of the 398 cybersecurity companies described above.

The test is based on our proprietary OSINT technology enhanced with Machine Learning (see below). Here is a non-exhaustive list of various resources where we gather data about the incidents:

  • Hacking Forums
  • Underground Marketplaces
  • IRC and Telegram Channels
  • Public Code Repositories
  • WhatsApp Groups
  • Social Networks
  • Paste Websites

The earliest security incident dates back to 2012, while the most recent one is of August 31, 2020.

Anomalies, such as surprisingly large or small number of incidents per company, were manually validated to ensure data consistency and accuracy.

It is important to mention the growing “noise” on the Dark Web, ranging from outdated or duplicative data leaks to overt fakes sold by scammers. To tackle this challenge, we leverage and continuously improve our proprietary Machine Learning (ML) models to distil the findings. For instance, we have a specially trained ML model capable of differentiating between humanly created and automatically generated passwords. We also have many other ML models that detect various “red flags” suggesting that the data, its advertised quality or date of breach, or the seller do lack basic trustworthiness and ascertainably. In this research, findings that did not trigger any red flags are referred to as verified, while others are labelled as unverified.

Below is the estimated risk scoring for the verified incidents used by our free test and in this research:

  • Critical Risk: login credentials with plaintext passwords, or data leaks with highly sensitive data (e.g. PII, financial records, etc.) that are recent and/or unique
  • High Risk: login credentials with plaintext passwords, or data leaks with highly sensitive data (e.g. PII, financial records, etc.)
  • Medium Risk: login credentials encrypted passwords, or various data leaks with moderately sensitive data (e.g. source code, internal documents, etc.)
  • Low Risk: mentions of organization, its IT assets or employees in data leaks, samples or dumps without accompanying sensitive or confidential information.

All incidents described and classified below are the verified ones.

How to Reproduce the Findings

The findings can be reproduced just by entering a company’s main website URL into the free test and seeing the results.

The free test provides an exact number of security incidents with estimated risk scores but does not reveal technical details of the incidents for ethical and legal reasons.

Organizations looking to receive full details of the incident may consider using ImmuniWeb® Discovery to get the exposed data without these restrictions.

Incidents Overview

The total number of discovered incidents in the Dark Web for the 398 cybersecurity companies is 1,658,907 whereas 38% (631,512) are verified incidents (see above):

Incidents by Estimated Trustworthiness of Information
Diagram 1: Incidents by Estimated Trustworthiness of Information

Incidents by Estimated Risk Level

The graph below illustrates the allocation of incidents by the estimated risk level (see above). Among the verified incidents, almost 17% (109,019) have estimated critical risk, 8% have estimated high risk (51,510), 49% are of estimated medium risk (311,521) and 25% have estimated low risk (159,462):

Incidents by Estimated Risk Level
Diagram 2: Incidents by Estimated Risk Level

Incidents by Exposed Data Types

631,512 records contain highly sensitive information such as plaintext credentials or PII including financial or similar data. Hence, on average, there are 1,586 stolen credentials and other sensitive data exposed per cybersecurity company. Generalized classification of leaked data from the incidents is illustrated in the graph below:

Incidents by Exposed Data Types
Diagram 3: Incidents by Exposed Data Types

Incidents by Leaked Passwords Strength

We automatically analyzed the strength of leaked passwords for the Credential Theft incident types described above. 29% of the passwords were weak (i.e. less than 8 characters, no uppercase, no numbers and no special characters):

Password Strength
Diagram 4: Password Strength

162 out of 398 companies have incidents where their employees reuse identical passwords on different breached systems. This boosts the risk of password re-use attacks by cybercriminals.

Below is a table with the most popular passwords that clearly evidences poor password hygiene and practice even among employees of the leading cybersecurity companies:

PasswordNumber of Uses
password1,186
1234561,137
aaron4311,109
12345678344
123456789271
Password258
EvoPassword254
12345250
old123ma237
1234207
career121190
none182
welcome163
password1158
zaq12wsx151
qwerty148
micros1144
1qaz2wsx132
passw0rd120
111111120
blackberry112
Password1107
123456789092
abc12390

Incidents by Country and Company Size

The table below show distribution of the incidents by country of the 398 cybersecurity companies:

HQ CountryTotal IncidentsVerified IncidentsHigh & Critical Risk
USA991,387362,05490,959
United Kingdom285,656117,55929,226
Canada147,86661,44720,902
Ireland99,70142,17510,965
Japan70,71729,1787,007
Germany14,4074,935371
Israel9,3953,388151
Czech Republic9,0972,932112
Russia5,4601,74698
Slovakia5,1871,006257
The Netherlands5,143920111
Finland4,8901,348246
Singapore3,6284018
Spain1,74969218
China1,51454258
Romania1,02837119
Malta499863
India3311079
Taiwan1691442
Switzerland149660
Italy78680
Belgium2332
France16135
Portugal1340

The next table demonstrates distribution of incidents by company size:

Number of Employees% of Affected CompaniesHigh & Critical Risk Incidents
10,001+92%54,384
5,001-10,000100%3,545
1,001-5,000100%756
501-1,00097%533
251-50095%4,498
101-25098%949
51-10097%239
11-50100%102

Incidents Involving Third-Party Resources

A considerable number of the incidents stem from silently breached trusted third parties, such as suppliers or other subcontractors of the cybersecurity companies, mostly represented by stolen website databases and backups.

A large number of stolen credentials with plaintext passwords likewise come from incidents involving unrelated third parties including dating or even adult-oriented websites where victims were using their professional email addresses to sign in. We found at least 5,121 stolen credentials in pornographic and adult dating websites.

Below is the table with the most popular types of the breached third parties that presumably have no direct relation to the cybersecurity company whose employees were using its services:

Breached Third PartiesNumber of Credentials
Personal services24,526
Shopping16,676
Games11,119
Business8,030
Services5,776
Dating5,121
Messengers and Social Media4,966
Media4,076

PCI DSS & GDPR Compliance

Furthermore, to paint an even a broader picture, go beyond the Dark Web exposure perimeter and indirectly cross-validate the findings, we used our free online website security test to check compliance of the main websites belonging to the 398 cybersecurity companies.

The test uses a non-intrusive and production-safe methodology to check PCI DSS and GDPR requirements specific to a website and web server security:

Main Websites Compliance
Diagram 5: Main Websites Compliance

As illustrated in the graph above, the main websites of more than half of all companies (63%) fail to meet these PCI DSS requirements, which means that they use vulnerable or outdated software (including JS libraries and frameworks), or have no Web Application Firewall (WAF) in blocking mode.

191 websites (48%) do not comply with these GDPR requirements because of vulnerable software, absent of a conspicuously visible privacy policy, or a missing cookie disclaimer when cookies contain PII or traceable identifiers.

Finally, we referred to data openly available at the Open Bug Bounty project to shed more light on web application (in)security of the 398 cybersecurity companies. 279 XSS vulnerabilities were reported there for 91 companies, wherein 26% of the reported vulnerabilities were still unpatched as of this research publication date.

Conclusion

Ilia N. Kolochenko, ImmuniWeb Chief Architect & Founder, says: “The modern threat landscape has become a highly sophisticated, multidimensional and convoluted challenge for all industries. Human risk, IT outsourcing and reliance on third parties for data processing - gradually exacerbate the situation and complicate continuous security monitoring.

Worse, mushrooming national and transnational compliance requirements start overconsuming a substantial part of shrinking cybersecurity budgets. Even the cybersecurity industry itself is not immune to those problems as demonstrated in this alarming research. Covid-19 bolstered international cybercrime, and compelled millions of unprepared organizations around the globe to urgently digitalize their business processes without requisite security and data protection. In this context, cybersecurity companies are, however, doing fairly well compared to many other industries in 2020, also because of generous venture funding and access to internal talents to tackle security and compliance.

Today, cybercriminals endeavor to maximize their profits and minimize their risks of being apprehended by targeting trusted third parties instead of going after the ultimate victims. For instance, large financial institutions commonly have formidable technical, forensic and legal resources to timely detect, investigate and vigorously prosecute most of the intrusions, often successfully. Contrariwise, their third parties, ranging from law firms to IT companies, usually lack internal expertise and budget required to react quickly to the growing spectrum of targeted attacks and APTs. Eventually, they become low-hanging fruit for pragmatic attackers who also enjoy virtual impunity. In 2020, one need not spend on costly 0days but rather find several unprotected third parties with privileged access to the ‘Crown Jewels’ and swiftly crack the weakest link.

Holistic visibility and inventory of your data, IT and digital assets is essential for any cybersecurity and compliance program today. Modern technologies, such as Machine Learning and AI, can significantly simplify and accelerate a considerable number of laborious tasks spanning from anomaly detection to false positive reduction. This picture is, however, to be complemented with a continuous monitoring of Deep and Dark Web, and countless resources in the Surface Web, including public code repositories and paste websites. You cannot protect your organization in isolation from the surrounding landscape that will likely become even more intricate in the near future.

What’s next:


Latest news and insights on AI and Machine Learning for application security testing, web, mobile and IoT security vulnerabilities, and application penetration testing.

User Comments
Add Comment

View Products Ask a Question