[German]Administrators and people who deal with the subject have known or suspected it for some time. The unmanaged attack surface of IT components is too complex at many companies. This makes it easier for cybercriminals to attack corporate IT, while the companies themselves have increasing difficulty in patching through the systems cleanly. Interesting information has come to my attention in this regard from Palo Alto Networks.
Advertising
We suspected it
Experienced security professionals know that while zero-days make headlines, the real problems come from dozens of small decisions made for IT every day in an enterprise. Even a single accidental misconfiguration of an IT system can create a vulnerability in defenses. That's why Palo Alto Networks' security research team evaluated more than 100 companies across industries to map their unmanaged attack surfaces.
Opportunistic attackers are increasingly targeting these oversights and misconfigurations because it has become easy and inexpensive to find vulnerabilities, exposures or other unknown open doors. Even less skilled attackers can build a scanning infrastructure to roughly scour the Internet and discover compromisable objects.
Some may even attempt to crack this vulnerability, but far more enterprising attackers sell this scan data on the dark web to bidders who can then launch particularly sophisticated attacks. For defenders, therefore, knowing an attacker's attack surface is a huge advantage.
For a deeper analysis, the researchers examined a sample of critical vulnerabilities and exposures (CVE) data from January to February 2022 for which active exploits were already known and highlighted in key cybersecurity advisories from U.S. federal agencies.
2022 Attack Surface Threat Report
These are some of the key findings of Palo Alto Networks' ASM Threat Report 2022 (registration required), which is based on observable data from more than 100 organizations rather than self-reported surveys:
Advertising
- The cloud continues to be a security nightmare: Nearly 80 percent of all issues observed on the global attack surface took place in the cloud. Cloud deployments, while simple, lead to numerous unintentional attacks due to misconfigurations and shadow IT.
- Low-hanging fruit continues to linger: Non-zero-day threats are everywhere. Nearly one in four issues researchers found on the attack surface were related to an unprotected RDP server, which has become the preferred gateway for ransomware. The Xpanse investigation also uncovered more than 700 unencrypted login pages for various IT services that were unencrypted and publicly accessible. Nearly 3,000 database storage and analytics systems and over 2,500 critical building control systems (BCS) were also accessible via the public Internet.
- End-of-Life-Software = End-of-Life for Security: 30 percent of organizations deployed end-of-life (EOL) software versions that were affected by CVEs for which active exploits were already known and listed in U.S. government cybersecurity advisories.
- Unchecked attack surface increases: The researchers also found that several companies had a large number of active issues that they fought within a month, but were never truly secure. These companies remained vulnerable throughout the month because their unmanaged attack surface continued to grow while other security issues were fixed.
- Persistent, complex, but unique: Xpanse's research found that while the attack surface is unique to each industry, vulnerabilities persist. For example, nearly 23 percent of all problems in the utilities and energy sector were due to compromised building control systems. Nearly 50 percent of all problems in professional and legal services involved data storage systems and unencrypted logins exposed to the public Internet. This put intellectual property, important client data and other highly sensitive information at risk.
If security teams don't know where the vulnerabilities are, it's impossible to ensure the issues are fixed. For many organizations, the cloud and RDP will be a constant target, but the constellation of risks and vulnerabilities on your attack surface will only continue to grow as attack surfaces become more complex.
Attackers benefit from the complexity and ever-changing attack surfaces because they can scour the entire Internet looking for these vulnerabilities. With an attacker's perspective, organizations can identify and prioritize problems to fix. This also means that focusing on metrics such as Mean Time To Detect (MTTD) and Mean Time To Respond (MTTR) is inherently flawed.
In the event of a security breach, MTTD and MTTR are acceptable, but security should focus on doing everything it can to prevent breaches before they happen, according to Palo Alto Networks. That means organizations should place more emphasis on Meant Time To Inventory (MTTI) because it's impossible to protect unknown assets from unknown risks.
Modern attack surfaces are dynamic. Without a clear view that is constantly updated, it is all too easy to have persistent vulnerabilities and unmanaged assets. Security professionals can only be as good as the data they have at their disposal. A solid foundation of continuous detection and monitoring ensures that organizations can keep pace with modern, dynamic attack surfaces to find, prioritize and mitigate vulnerabilities as they occur, according to Palo Alto Networks.
Risks across attack surface, Source: Palo Alto Netzworks
Additional key insights on the unmanaged attack surface, based on observational data from over 100 organizations, can be found in the 2022 Cortex Xpanse Attack Surface Threat Report.
