The 2024 BreachLock Pentesting Intelligence Report is out – and there are many new insights that may surprise you. The report analyzed threat intelligence from over 4,000 penetration tests and vulnerability assessments conducted over the past 12 months. Findings were presented across affected assets, associated vulnerability types, prevalence, severity, and the most impacted industries around the globe.
“Today more than ever, CISOs are facing increasing cyber security challenges. They are facing new and more stringent regulatory guidelines, SEC reporting rules, and an expanding landscape that seeks to hold enterprises more accountable. It leaves CISOs and practitioners unsure of what lies ahead,” states Seemant Sehgal, Founder & CEO of BreachLock. “Security teams are under more scrutiny to reassess risk and quantify the potential financial impact. They need to provide business-oriented programs that drive ROI and reduce risk, and BreachLock aims to provide the offensive security solutions to help enterprises do just this.”
This year’s report includes MITRE ATT&CK adversary tactics and techniques, as well as OWASP Top 10 to see how the report’s findings stack up against real-world observations. Here are some of the report’s top findings:
Industry Findings
The report comprises a healthy representation across enterprise size with small enterprises, or those with less than 50 employees, representing 40% of the report analysis, followed by 35% mid-enterprise (51 to 100 employees) and 25% of large enterprises, or those with 1001 to over 10,000 employees. These enterprises were located across North America, the UK, Europe, and Pan-Asian countries.
It has been a tough year so far in 2024 for the Computer Software & Technology industry, which has been besieged by an escalation in cyber incidents targeting technology infrastructure. Of the Top 5 industries with the highest number of findings, 48% of these were found in the technology sector.
As researchers began to dig deeper into the data, some surprising industry insights were uncovered. The Banking and Financial Services Institutions (FSI) sector saw a 71.43% increase in Critical and High severities in 2024 in comparison to 2023. This included such vulnerabilities as security misconfiguration, cryptographic failures, and broken access controls, all aligning with OWASP TOP 10.
Healthcare also saw a significant rise in Critical and High severities, revealing an 85.71% increase versus 2023, according to reporting findings. In May 2024, there were 51 data breaches in the U.S. related to healthcare, most notably the United Health-owned Change Healthcare attack resulting in a $220 million paid ransom to a Russian cybercrime group.
Professional Services was a newcomer to the 2024 report. This sector includes such organizations as consumer services, human resources, law practices, legal services, and staffing and recruitment. Due to the sensitive data handled by these types of organizations, in addition to the complexity of attacks and growing regulatory demands, it is not surprising to see this sector in the Top 5 most impacted industries.
Findings Across Assets
Of the 4,000 pentests analyzed for the report, assets included are web applications (49%), external network (17%), internal network (15%), APIs (9%), Cloud (7%), and Mobile apps for both Android and iOS (3%).
The Top 5 most identified vulnerabilities by OWASP aligned with BreachLock’s top 5 findings as follows:
- A05:2021 – Security Misconfigurations
- A02:2021 – Cryptographic Failures
- A01:2021 – Broken Access Control
- A04:2021 – Insecure Design Injection
- A06:2021 – Vulnerable and Outdated Components
These Top 5 categories, aggregated together, represent 88% of the findings and security weaknesses in the report’s full data set.
In addition, MITRE ATT&CK is another framework BreachLock uses and is also represented in the 2024 report findings. Aligning with MITRE ATT&CK techniques ensures that identified vulnerabilities correspond to real-world attack techniques, validating the relevance and severity of our threat findings. By identifying vulnerabilities associated with the most common and impactful attack techniques, organizations can prioritize their remediation efforts to address the most critical and probable threats first.
In addition, we saw Critical to High severity findings increase across almost every asset but here are a few of the most significant discoveries:
- Web Applications: Critical severities are up 150% and High findings increased 60% in 2024 vs. 2023.
- Network Infrastructure: Collectively, overall risk severities for both internal and external networks represented 32% of the complete data set with both Critical and High severities increasing 100% and 200%, respectively in 2024 from the previous year.
- APIs: Representing almost 10% of the overall risk of all assets tested, the risk distribution shows a 400% increase in Critical severities and a staggering 700% increase in High vs. 2023.
Lastly, the BreachLock Pentesting Intelligence Report outlined some of the new and recent changes to cybersecurity regulations in 2024. Arguably the most impactful change has been the Securities and Exchange Commission (SEC) Disclosure Rules Act. Enacted in July 2023, it was in 2024 that we really began to see the effect that these rules had on major domestic and global companies that experienced significant breaches that were immediately disclosed to the SEC and made public.