Companies focused on employees' systems and cloud infrastructure are not capturing the true extent of their attack surface area, which includes phishing domains using a business's brand, counterfeit mobile apps, and vulnerable web frameworks and plugins, according to a survey of such vulnerabilities published on Thursday.
In its "Analysis of an Attack Surface" report, security firm RiskIQ found a quarter of the top 10,000 Alexa domains had servers running at least one vulnerable web component and that the largest companies typically had more than 300 expired certificates, more than 700 potential development testing sites accessible from the Internet, and 80 instances of web applications running on soon-to-be-outdated versions of PHP. The company also identified more than 21,000 phishing domains created in the first quarter using one of 478 major brands.
The sheer variety of potentially vulnerable components underscores that companies often do not know about all the assets — and potentially vulnerable applications — that they have exposed to the Internet, says Steve Ginty, director of threat intelligence for RiskIQ.
"It comes back to the basics in terms of visibility and management — you can't defend something if you don't know it exists," he says. "Web infrastructure gets forgotten. Employees stand up shadow IT. It really comes down to visibility."
The vast majority of external breaches are due to vulnerabilities into which a company has no visibility or has lost visibility. The massive data breach impacting Equifax, for example, originated in a server with a known vulnerability in Apache Struts that the company had believed to have been patched but in fact remained vulnerable. Other breaches have been caused by companies leaving misconfigured storage servers — such as Amazon Simple Storage Service (S3) servers — open to public access.
Other research has found that 71% of applications used an open source library with a known vulnerability.
The average large enterprise — RiskIQ used the top 30 companies in the Financial Times Stock Exchange (FTSE) by market capitalization — has almost 8,500 hosts, nearly 2,000 domains, and more than 5,000 live websites. The sheer size of the footprint means that companies have a harder time locking down their surface areas than hackers may have of finding a single vulnerable host, the report states.
"Threat actors know these internet-connected services can be easy inroads to corporate networks and are always scanning for vulnerable services to attack," RiskIQ states in the report. "To counter hackers, security teams must have visibility into the IPV4 space so they can develop a full inventory of digital assets connected to them outside their internal network and flag assets that become vulnerable so they can be patched and put under management."
Overall, the Internet grows by more than 200,000 domains a day and 55 million hosts per day, the company found.
The rapid growth of insecure and outdated web components is a major vulnerability for most companies. The average enterprise in the FTSE's top 30 companies, for example, has almost 400 insecure forms, nearly 50 web frameworks with known vulnerabilities, and more than 600 web servers running known vulnerable software. Whether these assets could actually be exploited is unknown, but the risk needs to be investigated, Ginty says.
"While these aren't the worst things that can happen to you, things such as end-of-life software makes your business more vulnerable, because you will not be getting patches in the future," he says.
The coronavirus pandemic and the move to remote work has caused a significant increase in vulnerable attack surface area, Ginty adds. The company saw a rapid spike in the middle to late March of servers and application for remote work, including vulnerable VPN devices.
"Organizations, due to COVID-19, are standing up a lot more VPN and remote-access infrastructure to handle their workforce moving from their office to the home environment," he says.
Companies evaluating the report should consider the numbers in context, however.
By using the top 10,000 Alexa-ranked web properties and the FTSE top 30 companies, RiskIQ has chosen businesses with large Internet footprints and, by extension, large attack surface areas. Smaller companies will, by extension, have much smaller attack surface areas.
"Companies should start with discovery, and figure out what are the assets that you have on the Internet," Ginty says. "Once you know what you have out there, figure out what makes you are target and who might be targeting you."
- Unpatched Open Source Libraries Leave 71% of Apps Vulnerable
- COVID-19 Drives Rush to Remote Work. Is Your Security Team Ready?
- 'Strutting' Past the Equifax Breach: Lessons Learned
- AWS S3 Breaches: What to Do & Why
- How Enterprises Are Attacking the Cybersecurity Problem