For all their domain expertise, many cybersecurity vendors are as dangerously exposed to Internet-borne threats as the customers their technologies are designed to protect.
Israel-based security vendor Reposify recently used its external attack surface management platform to scan the externally facing assets and networks of 35 major cybersecurity vendors and more than 350 of their subsidiaries over a two-week period. Reposify's 24x7 Internet scans — like those of other vendors in the space — are designed to help organizations get an understanding of their attack surface and exposure so they can bolster or implement new controls where needed.
Reposify focused on externally facing infrastructure, applications, and user profiles, says Yaron Tal, founder and CTO at Reposify. This included everything from cloud-hosted databases; remotely accessed sites; Web-facing applications; internal network assets, such as portmappers, routers, switches, Web servers, storage, and backup; and development tools, he says.
The company's scans showed a high percentage of cybersecurity vendors are dangerously exposed to many of the same threats they are supposed to help protect against. Nearly nine in 10 (86%) of the cybersecurity companies analyzed had at least one sensitive remote-access service exposed to the Internet, and 80% had exposed network assets. Sixty-three percent of the vendors had back-office networks that were directly accessible via the Internet, just over half (51%) had at least one exposed database, and 40% had exposed development tools.
Reposify found that like organizations in other industries, almost all cybersecurity vendors are at considerable risk of data loss and compromise from poorly protected data on public cloud services. Some 97% — in other words, nearly all — of the cybersecurity vendors that Reposify scanned over the two-week period had exposed data assets on Amazon Web Services (AWS) and other cloud infrastructure. Some 42% of those assets could be classified as being at either high or critical risk, Reposify said.
"Just one of these statistics is concerning enough," Tal says. "But the combination points to a sincere need for the industry to better practice what it preaches," he says.
Tal says the findings are consistent across the financial, pharmaceutical, and gaming sectors. Similar scans that Reposify did of companies in the pharmaceutical sector showed 92% of them had exposed databases, while 55% of organizations in the gaming industry and 23% in the finance sector had the same problem. What's different about cybersecurity companies is they should know about the dangers of exposed assets on the Internet, he notes.
Richard Stiennon, chief research analyst at IT-Harvest, says he is not surprised that security vendors line up with the average enterprise in number of exposed assets. "Like any organization, security vendors are driven to grow and increase revenue," he says.
Their technical prowess is focused on innovation and protecting their customers. Like any company, their internal security staff are secondary to the infrastructure and support needed from IT for their operations. "Many employ CISOs that are merely extensions of sales and marketing and don't actually have a security staff," Stiennon says.
Expanding Digital Footprint
Much of the problem has to do with the fact that organizations — including cybersecurity firms — have a large number of assets that they simply don't know about and therefore are not protecting. This can include assets like sensitive data, devices, and other digital components that support information or communication-related activity, Tal says.
Trends like cloud adoption, the transition to hybrid workplaces, and the growing reliance on third-party vendors for IT and other services has significantly expanded digital footprints and resulted in a lot of data and devices over which security has no visibility.
"Inside the unofficial perimeter are assets like shadow IT-related services, pop cloud instances, [and] abnormally long-time online cloud instances without company domains attached," he says. Also presenting a risk are staging and test environments and forgotten databases, development tools, and network assets that the IT security team doesn't know about.
Some 91% of exposed Web servers in cybersecurity vendor environments were either Nginx or Apache, according to Reposify's data. Eighty-eight percent of exposed Web servers were accessible via OpenSSH. Other commonly exposed remote access protocols included telnet (33%) and SMB services (30%). Nearly three-quarters (72%) of cybersecurity vendor databases that Reposify found exposed during its Internet scans were PostgreSQL databases, followed by Oracledb with 50%, MySQL (28%), and Microsoft SQL (21%).
Reposify's findings are not designed to assign blame on cybersecurity vendors for poor security practices, Tal says. They are meant to illustrate the fact that nobody is immune to risk from exposed Internet-facing assets.
"It’s easy to assume that cybersecurity companies would be the most secure against modern cyber threats, but even experts are susceptible to the blind spots created by expanding digital footprints," he notes.