Migration to cloud computing across all public and private sectors has caused midsize companies to have higher security risk factors than large enterprises.

That’s according to Coalfire‘s second-annual Penetration Risk Report. Coalfire provides cybersecurity advisory and assessment services, and the research is based on hundreds of engagements performed by the company’s adversarial simulation and penetration testing team, Coalfire Labs.

Last year, the data showed midsize businesses hit the “cybersecurity sweet spot” despite the higher security budgets and resources of larger enterprises, said Mike Weber, Coalfire Labs’ vice president. This year, large enterprises are filling the gaps faster, and midsize businesses find themselves scrambling to keep up, he said.

Coalfire Labs separated cloud service providers from enterprises in the new report to reveal the risks in each environment. The top vulnerabilities in the enterprise space were outdated software and insecure protocols. For cloud providers, security misconfiguration was the highest risk factor.

The top five application vulnerabilities for 2019 included cross-site scripting, injection, security misconfiguration, password flaws and sensitive data exposure. A few of the top vulnerabilities from 2018 fell off the chart this year, including broken authentication/session management, using known vulnerable components, and missing function-level access control.

Coalfire’s Mike Weber

“The good news is that app security has improved from last year due to the allocation of more resources and skilled professionals to get the job done as the threat of cloud-specific vulnerabilities increases,” Weber said. “Despite this, internal network security remains soft as organizations continue to prioritize external risk protections. Midsize businesses are especially vulnerable in this regard.”

Organizations struggle to get configurations right as they leverage multiple cloud infrastructure providers and hybrid environments, according to Coalfire.

Phishing continues to be a serious issue. In 71% of Coalfire Labs’ testing engagements, organizations experienced at least one full compromise of credentials. In 20% of the tests, organizations saw about half of their targeted employees give up their credentials.

“We stand by our recommendation from last year, as the findings show that unhardened Windows enterprises present a significant risk to organizations,” Weber said. “Disabling link-local multicast name resolution (LLMNR) and NetBios name service (NBT-NS), and enabling server message block (SMB) signing across the enterprise are the most effective ways of combating this threat. In a modern environment, these changes should have little to no impact on operations, but vastly improve internal security. However, as with any advice regarding sweeping changes in your environment, be sure to test this with any legacy systems first.”

Vertical markets’ overall security posture shifted dramatically in 2019, according to Coalfire. Compared to the wide variables between verticals last year, more vertical markets have become similar in vulnerability rates, and almost all show fewer high-risk findings.

“We believe that this is due to the shift toward cloud solutions in every vertical, which reduces the need to secure and maintain on-premise IT assets,” Weber said.

The technology/cloud, retail and health care verticals maintained security postures similar to 2018.

“Our data showed that the financial sector declined in overall security posture versus last year,” Weber said. “While every industry has its challenges, the financial industry does not have compliance regulations that specifically require penetration testing against prescribed scopes. Accordingly, the work we do for financial companies is more aligned with their business objectives and overall security strategy, rather than meeting a compliance objective. With that business alignment, the approaches, methodologies, adversaries emulated, and threat vectors selected tend to be more advanced than other penetration testing engagements. It’s our opinion that the financial sector decline is actually a reflection of the higher degree of diligence these firms are undertaking in their efforts to secure their enterprises.”