Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

6/11/2020
10:15 AM
50%
50%

Attack Surface Area Larger Than Most Businesses Believe

Workers are not the only outside-the-perimeter security risk. Companies have a variety of vulnerable Internet-facing resources exposing their business to risk, study finds.

Companies focused on employees' systems and cloud infrastructure are not capturing the true extent of their attack surface area, which includes phishing domains using a business's brand, counterfeit mobile apps, and vulnerable web frameworks and plugins, according to a survey of such vulnerabilities published on Thursday.

In its "Analysis of an Attack Surface" report, security firm RiskIQ found a quarter of the top 10,000 Alexa domains had servers running at least one vulnerable web component and that the largest companies typically had more than 300 expired certificates, more than 700 potential development testing sites accessible from the Internet, and 80 instances of web applications running on soon-to-be-outdated versions of PHP. The company also identified more than 21,000 phishing domains created in the first quarter using one of 478 major brands.

The sheer variety of potentially vulnerable components underscores that companies often do not know about all the assets — and potentially vulnerable applications — that they have exposed to the Internet, says Steve Ginty, director of threat intelligence for RiskIQ.

"It comes back to the basics in terms of visibility and management — you can't defend something if you don't know it exists," he says. "Web infrastructure gets forgotten. Employees stand up shadow IT. It really comes down to visibility."

The vast majority of external breaches are due to vulnerabilities into which a company has no visibility or has lost visibility. The massive data breach impacting Equifax, for example, originated in a server with a known vulnerability in Apache Struts that the company had believed to have been patched but in fact remained vulnerable. Other breaches have been caused by companies leaving misconfigured storage servers — such as Amazon Simple Storage Service (S3) servers — open to public access.

Other research has found that 71% of applications used an open source library with a known vulnerability.

The average large enterprise — RiskIQ used the top 30 companies in the Financial Times Stock Exchange (FTSE) by market capitalization — has almost 8,500 hosts, nearly 2,000 domains, and more than 5,000 live websites. The sheer size of the footprint means that companies have a harder time locking down their surface areas than hackers may have of finding a single vulnerable host, the report states.

"Threat actors know these internet-connected services can be easy inroads to corporate networks and are always scanning for vulnerable services to attack," RiskIQ states in the report. "To counter hackers, security teams must have visibility into the IPV4 space so they can develop a full inventory of digital assets connected to them outside their internal network and flag assets that become vulnerable so they can be patched and put under management."

Overall, the Internet grows by more than 200,000 domains a day and 55 million hosts per day, the company found.

The rapid growth of insecure and outdated web components is a major vulnerability for most companies. The average enterprise in the FTSE's top 30 companies, for example, has almost 400 insecure forms, nearly 50 web frameworks with known vulnerabilities, and more than 600 web servers running known vulnerable software. Whether these assets could actually be exploited is unknown, but the risk needs to be investigated, Ginty says.

"While these aren't the worst things that can happen to you, things such as end-of-life software makes your business more vulnerable, because you will not be getting patches in the future," he says.

The coronavirus pandemic and the move to remote work has caused a significant increase in vulnerable attack surface area, Ginty adds. The company saw a rapid spike in the middle to late March of servers and application for remote work, including vulnerable VPN devices.

"Organizations, due to COVID-19, are standing up a lot more VPN and remote-access infrastructure to handle their workforce moving from their office to the home environment," he says.

Companies evaluating the report should consider the numbers in context, however.

By using the top 10,000 Alexa-ranked web properties and the FTSE top 30 companies, RiskIQ has chosen businesses with large Internet footprints and, by extension, large attack surface areas. Smaller companies will, by extension, have much smaller attack surface areas.

"Companies should start with discovery, and figure out what are the assets that you have on the Internet," Ginty says. "Once you know what you have out there, figure out what makes you are target and who might be targeting you."

Related Content:

 
 
 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-6287
PUBLISHED: 2020-07-14
SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create a...
CVE-2020-6289
PUBLISHED: 2020-07-14
SAP Disclosure Management, version 10.1, had insufficient protection against Cross-Site Request Forgery, which could be used to trick user in to browsing malicious site.
CVE-2020-6290
PUBLISHED: 2020-07-14
SAP Disclosure Management, version 10.1, is vulnerable to Session Fixation attacks wherein the attacker tricks the user into using a specific session ID.
CVE-2020-6291
PUBLISHED: 2020-07-14
SAP Disclosure Management, version 10.1, session mechanism does not have expiration data set therefore allows unlimited access after authenticating once, leading to Insufficient Session Expiration
CVE-2020-6292
PUBLISHED: 2020-07-14
Logout mechanism in SAP Disclosure Management, version 10.1, does not invalidate one of the session cookies, leading to Insufficient Session Expiration.