According to a new study of the top 1 million domains, 46% are running vulnerable software, are known phishing sites, or have had a security breach in the past twelve months. Here is a quick breakdown:
Which sites are the most vulnerable?
News and media sites were most likely to be risky, at 50%, followed by entertainment sites at 49%, and travel sites at 42%. Business sites (41%) and shopping sites (40%) followed very closely behind.
What are the top risk factors?
Of the 1 million sites, 355,804 were either running vulnerable software or accessing background domains running vulnerable software; 166,853 fell into known-bad categories, while 31,938 experienced a recent security incident.
The largest source of risk was vulnerable software. About 36% of all websites were either running vulnerable software, or getting content from other locations running vulnerable software.
The next biggest risk factor was if a website was known to be malicious, or pulled content from a malicious domain. About 17% of the top million Alexa websites fell into this category.
Finally, 3% of sites had experienced a recent security incident.
What can website owners do?
- Patch Vulnerable Software and run the latest versions that have mitigated known CVEs.
- Sub-Resource Integrity (SRI), to ensure only known, trusted resource files (typically JavaScript, CSS) are loaded from third-party servers (typically CDNs).
- Mixed Content, to clarify the intended browser’s policy on pages loaded over HTTPS and linking content over plaintext HTTP.
- Upgrade Insecure Requests, hinting browsers on how to handle legacy links on pages migrated to HTTPS.
- Credential Management, a unified JavaScript API to access user’s credentials to facilitate complex login schemes.
Leave a Reply