Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:15 AM

Attack Surface Area Larger Than Most Businesses Believe

Workers are not the only outside-the-perimeter security risk. Companies have a variety of vulnerable Internet-facing resources exposing their business to risk, study finds.

Companies focused on employees' systems and cloud infrastructure are not capturing the true extent of their attack surface area, which includes phishing domains using a business's brand, counterfeit mobile apps, and vulnerable web frameworks and plugins, according to a survey of such vulnerabilities published on Thursday.

In its "Analysis of an Attack Surface" report, security firm RiskIQ found a quarter of the top 10,000 Alexa domains had servers running at least one vulnerable web component and that the largest companies typically had more than 300 expired certificates, more than 700 potential development testing sites accessible from the Internet, and 80 instances of web applications running on soon-to-be-outdated versions of PHP. The company also identified more than 21,000 phishing domains created in the first quarter using one of 478 major brands.

The sheer variety of potentially vulnerable components underscores that companies often do not know about all the assets — and potentially vulnerable applications — that they have exposed to the Internet, says Steve Ginty, director of threat intelligence for RiskIQ.

"It comes back to the basics in terms of visibility and management — you can't defend something if you don't know it exists," he says. "Web infrastructure gets forgotten. Employees stand up shadow IT. It really comes down to visibility."

The vast majority of external breaches are due to vulnerabilities into which a company has no visibility or has lost visibility. The massive data breach impacting Equifax, for example, originated in a server with a known vulnerability in Apache Struts that the company had believed to have been patched but in fact remained vulnerable. Other breaches have been caused by companies leaving misconfigured storage servers — such as Amazon Simple Storage Service (S3) servers — open to public access.

Other research has found that 71% of applications used an open source library with a known vulnerability.

The average large enterprise — RiskIQ used the top 30 companies in the Financial Times Stock Exchange (FTSE) by market capitalization — has almost 8,500 hosts, nearly 2,000 domains, and more than 5,000 live websites. The sheer size of the footprint means that companies have a harder time locking down their surface areas than hackers may have of finding a single vulnerable host, the report states.

"Threat actors know these internet-connected services can be easy inroads to corporate networks and are always scanning for vulnerable services to attack," RiskIQ states in the report. "To counter hackers, security teams must have visibility into the IPV4 space so they can develop a full inventory of digital assets connected to them outside their internal network and flag assets that become vulnerable so they can be patched and put under management."

Overall, the Internet grows by more than 200,000 domains a day and 55 million hosts per day, the company found.

The rapid growth of insecure and outdated web components is a major vulnerability for most companies. The average enterprise in the FTSE's top 30 companies, for example, has almost 400 insecure forms, nearly 50 web frameworks with known vulnerabilities, and more than 600 web servers running known vulnerable software. Whether these assets could actually be exploited is unknown, but the risk needs to be investigated, Ginty says.

"While these aren't the worst things that can happen to you, things such as end-of-life software makes your business more vulnerable, because you will not be getting patches in the future," he says.

The coronavirus pandemic and the move to remote work has caused a significant increase in vulnerable attack surface area, Ginty adds. The company saw a rapid spike in the middle to late March of servers and application for remote work, including vulnerable VPN devices.

"Organizations, due to COVID-19, are standing up a lot more VPN and remote-access infrastructure to handle their workforce moving from their office to the home environment," he says.

Companies evaluating the report should consider the numbers in context, however.

By using the top 10,000 Alexa-ranked web properties and the FTSE top 30 companies, RiskIQ has chosen businesses with large Internet footprints and, by extension, large attack surface areas. Smaller companies will, by extension, have much smaller attack surface areas.

"Companies should start with discovery, and figure out what are the assets that you have on the Internet," Ginty says. "Once you know what you have out there, figure out what makes you are target and who might be targeting you."

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google Maps is taking "interactive" to a whole new level!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-17
Cross Site Scripting (XSS) in emlog v6.0.0 allows remote attackers to execute arbitrary code by adding a crafted script as a link to a new blog post.
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete a specific article via the component " /admin.php?action=page."
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete specific images via the component " /admin.php?action=images."
PUBLISHED: 2021-05-17
A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_handles ../../src/decode.c:2637.
PUBLISHED: 2021-05-17
A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_revhistory ../../src/decode.c:3051.