Simple Security: How Organizations Fumble the BasicsUse of Deprecated SSL Remains Widespread, Kolochenko Warns
Penetration testing expert Ilia Kolochenko warns that many organizations are failing to help themselves when it comes to practicing smart web security.
Kolochenko, who's CEO of High-Tech Bridge, says his research team has been charting everything from web application exploits and HTTPS traffic encryption choices to the pervasiveness of such vulnerabilities as POODLE and Heartbleed.
"One of the biggest problems that we are facing today is that companies tend to underestimate the scope of their digital assets," he says. "This means that quite often they tend to forget about systems, about servers, about different devices they need to secure."
Indeed, based on data gathered by the company's SSL/TLS security, web server security and domain security tools, researchers noticed that many organizations are failing to avail themselves of the latest security tools and protocols. For example, 23 percent of all websites still use SSL version 3, which has been deprecated, since SSLv3 fallbacks were to blame for the likes of POODLE and BEAST. Meanwhile, 80 percent of all web servers have "incorrect, missing or insecure HTTP headers," Kolochenko says, which leaves web application users at risk of being exploited.
In this interview with Information Security Media Group conducted at the InfoSecurity Europe Conference in London (see audio player below photo), Kolochenko also details:
- Why small- and medium-size enterprises are an increasing target for hackers;
- The challenge posed by APIs, and why they tend to be overlooked as a security risk;
- The risks facing organizations that fail to address common security problems, such as using outdated versions of the SSL protocol.
Kolochenko is CEO of Geneva-based High-Tech Bridge, which provides vendor-independent cybersecurity consulting and penetration testing. He got his start in the information security field as an "ethical hacker" - now better known as penetration testing - and is a frequent commentator on web security, risk management and cybercrime trends for multiple news outlets.
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.