Two decades ago, we kept everything relatively simple by containing our organization’s technological footprint in the closed fortress that was the corporate network. The IT staff determined which tools to deploy, and the security team determined how best to protect them and the network.
It seems like a distant memory now, thanks to modern innovation: Work-from-home (WFH) arrangements continue to transform traditional office culture, with spikes in cloud adoption, shadow computing and Bring Your Own… Everything. The resulting widespread connectivity has boosted productivity. But it also ushered in a new era of exposure due to a vastly increased attack surface.
Subsequently, chief information security officers (CISOs) and their teams can no longer afford to view their role as an “afterthought” reactive responsibility. Instead, they must take proactive steps to identify all Internet-connected assets early on and protect them. With better visibility and a “safety first” commitment, businesses can operate with peace of mind.
To illustrate this, we recently published research in which we assessed the presence of a variety of risks and vulnerabilities in random samples of 2.2 million hosts in our Universal Internet Dataset (UIDS). Here is what we found:
- The WFH brings new challenges. By logging in remotely, employee-users expand the attack surface, although this is the unintended result of their actions in most cases. Post-pandemic remote work has resulted in a 59% increase in the use of tools and devices not approved by IT (commonly referred to as shadow IT), leading to unmanaged devices/services, because IT and security teams are left out of the conversation. Additionally, we found that organizations now use an average of 44 different domain registrars and 17 hosting providers — another likely result of shadow computing that further contributes to visibility issues.
- Misconfigurations and exposures create the most risk. Misconfigurations, such as unencrypted services, insufficient or missing security checks, and self-signed certificates, account for approximately 60% of Internet risk. Service, device and information exposures account for 28%.
- Exposures aren’t just a cloud problem. Organizations devote so many resources and personnel to protecting assets in the cloud. But most internet hosts and services operate on-premises resources or conventional data centers, as opposed to major cloud providers. In fact, only 9% of hosts with services run them in one of the top four cloud options from Amazon, Microsoft, Google, and Oracle.
So how should CISOs or other security professionals react to this? We recommend these best practices as building blocks for a comprehensive, proactive strategy:
- Inventory the whole landscape, then start again. The company’s digital ecosystem is constantly changing: the company may have just completed a merger or acquisition, and now it has inherited hundreds of additional users. Or a recently launched business strategy might require widespread investment in new technology tools across an entire department. This is why security teams should run full reconnaissance of these assets to see if there are any that the team is unaware of. Spoiler alert: there probably are. It starts with awareness, after all. Once the team has taken an inventory of everything “out there” (instead of just what’s in the cloud), they can commit to regular patches and more. security measures. Additionally, as the company’s footprint is constantly changing, the team needs to go into “reconnaissance mode” on a regular basis.
- Eliminate misconfigurations and exposures. Of course, zero-day exploits and major vulnerabilities dominate Twitter buzz and headlines. But, as our findings indicate, organizations are more susceptible to attack due to misconfigurations and exposures – this is what threat actors often look for first when targeting a potential victim organization. So apply good cyber hygiene to these areas, including zero-trust and multi-factor authentication and regular auditing of internet-connected assets.
- Get ahead of domain scammers. It’s troubling that organizations are tied to dozens of domain registrars, especially if IT security teams remain unaware of their existence. Employee-users, for example, can save their own without notifying the teams. Threat actors are well aware of this and take advantage of it to create fake domains that look a lot like the real ones. They can, for example, substitute “5” for an “S” in the legitimate domain to launch brand impersonation phishing attacks.
A proactive approach works best here. Fuzzing tools can help the team uncover similar areas that attackers can use to compromise a brand’s employees and customers. Security teams also want to keep track of domains that are about to expire and conduct preemptive attacks by creating and purchasing “fake” domain names internally so hackers can’t use them.
The attack surface on the Internet has become very large and vast and it will only grow as employee-users seek out more digital tools and resources. As the old saying goes, companies can’t protect what they don’t know. Through regular, comprehensive inventories and identifications of all assets, misconfiguration exposures, and domains—and applying old-fashioned, but proven, cybersecurity hygiene accordingly—security teams will maintain a head start. ahead of threat actors seeking to exploit these risky areas. As a result, organizations will make them much less capable of doing damage.
Emily Austin, Researcher, Censys
#face #challenges #everexpanding #risky #Internet #environment