Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:15 AM

Attack Surface Area Larger Than Most Businesses Believe

Workers are not the only outside-the-perimeter security risk. Companies have a variety of vulnerable Internet-facing resources exposing their business to risk, study finds.

Companies focused on employees' systems and cloud infrastructure are not capturing the true extent of their attack surface area, which includes phishing domains using a business's brand, counterfeit mobile apps, and vulnerable web frameworks and plugins, according to a survey of such vulnerabilities published on Thursday.

In its "Analysis of an Attack Surface" report, security firm RiskIQ found a quarter of the top 10,000 Alexa domains had servers running at least one vulnerable web component and that the largest companies typically had more than 300 expired certificates, more than 700 potential development testing sites accessible from the Internet, and 80 instances of web applications running on soon-to-be-outdated versions of PHP. The company also identified more than 21,000 phishing domains created in the first quarter using one of 478 major brands.

The sheer variety of potentially vulnerable components underscores that companies often do not know about all the assets — and potentially vulnerable applications — that they have exposed to the Internet, says Steve Ginty, director of threat intelligence for RiskIQ.

"It comes back to the basics in terms of visibility and management — you can't defend something if you don't know it exists," he says. "Web infrastructure gets forgotten. Employees stand up shadow IT. It really comes down to visibility."

The vast majority of external breaches are due to vulnerabilities into which a company has no visibility or has lost visibility. The massive data breach impacting Equifax, for example, originated in a server with a known vulnerability in Apache Struts that the company had believed to have been patched but in fact remained vulnerable. Other breaches have been caused by companies leaving misconfigured storage servers — such as Amazon Simple Storage Service (S3) servers — open to public access.

Other research has found that 71% of applications used an open source library with a known vulnerability.

The average large enterprise — RiskIQ used the top 30 companies in the Financial Times Stock Exchange (FTSE) by market capitalization — has almost 8,500 hosts, nearly 2,000 domains, and more than 5,000 live websites. The sheer size of the footprint means that companies have a harder time locking down their surface areas than hackers may have of finding a single vulnerable host, the report states.

"Threat actors know these internet-connected services can be easy inroads to corporate networks and are always scanning for vulnerable services to attack," RiskIQ states in the report. "To counter hackers, security teams must have visibility into the IPV4 space so they can develop a full inventory of digital assets connected to them outside their internal network and flag assets that become vulnerable so they can be patched and put under management."

Overall, the Internet grows by more than 200,000 domains a day and 55 million hosts per day, the company found.

The rapid growth of insecure and outdated web components is a major vulnerability for most companies. The average enterprise in the FTSE's top 30 companies, for example, has almost 400 insecure forms, nearly 50 web frameworks with known vulnerabilities, and more than 600 web servers running known vulnerable software. Whether these assets could actually be exploited is unknown, but the risk needs to be investigated, Ginty says.

"While these aren't the worst things that can happen to you, things such as end-of-life software makes your business more vulnerable, because you will not be getting patches in the future," he says.

The coronavirus pandemic and the move to remote work has caused a significant increase in vulnerable attack surface area, Ginty adds. The company saw a rapid spike in the middle to late March of servers and application for remote work, including vulnerable VPN devices.

"Organizations, due to COVID-19, are standing up a lot more VPN and remote-access infrastructure to handle their workforce moving from their office to the home environment," he says.

Companies evaluating the report should consider the numbers in context, however.

By using the top 10,000 Alexa-ranked web properties and the FTSE top 30 companies, RiskIQ has chosen businesses with large Internet footprints and, by extension, large attack surface areas. Smaller companies will, by extension, have much smaller attack surface areas.

"Companies should start with discovery, and figure out what are the assets that you have on the Internet," Ginty says. "Once you know what you have out there, figure out what makes you are target and who might be targeting you."

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-10
A function in Combodo iTop contains a vulnerability of Broken Access Control, which allows unauthorized attacker to inject command and disclose system information.
PUBLISHED: 2020-08-10
Combodo iTop does not validate inputted parameters, attackers can inject malicious commands and launch XSS attack.
PUBLISHED: 2020-08-10
Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script.
PUBLISHED: 2020-08-10
A security misconfiguration exists in Combodo iTop, which can expose sensitive information.
PUBLISHED: 2020-08-10
Combodo iTop contains a cross-site request forgery (CSRF) vulnerability, attackers can execute specific commands via malicious site request forgery.