Two decades ago, we kept everything relatively simple by containing our organization’s technology footprint within the closed fortress that was the corporate network. The IT staff determined which tools to deploy, and the security team figured out how to best protect them and the network.
This seems a distant memory now, thanks to modern innovation: Work-from-home (WFH) arrangements continue to transform the traditional office culture, with spikes in cloud adoption, shadow IT, and Bring Your Own … Everything. The resulting widespread connectivity has boosted productivity. But it has also ushered in a new era of exposure because of a vastly increased attack surface.
Subsequently, chief information security officers (CISOs) and their teams can no longer afford to view their roles as an “after the fact,” reactive responsibility. They must instead take proactive steps to identify all internet-facing assets from the very beginning and protect them. With improved visibility and a “security first” commitment, companies can operate with peace of mind.
To illustrate this, we recently published research in which we evaluated the presence of a variety of risks and vulnerabilities in random samples of 2.2 million hosts in our Universal Internet Dataset (UIDS). Here’s what we found:
- WFH brings new challenges. Connecting remotely, employee-users are expanding the attack surface, although it’s an unintended result of their actions in most cases. Post-pandemic remote work has driven a 59% increase in the use of tools and devices not approved by IT (commonly called shadow IT), leading to unmanaged devices/services because IT and security teams are left out of the conversation. What’s more, we have found that organizations now use an average of 44 different domain registrars and 17 hosting providers – another likely outcome of shadow IT that further contributes to visibility issues.
- Misconfigurations and exposures create the most risks. Misconfigurations – such as unencrypted services, insufficient or missing security controls, and self-signed certificates – account for about 60% of internet risks. Exposures of services, devices and information represent 28%.
- Exposures are not only a cloud issue. Organizations devote so many resources and personnel to protecting assets in the cloud. But most internet hosts and services leverage on-premises resources or conventional datacenters, as opposed to top cloud providers. In fact, only 9% of hosts with services run them in either of the four major cloud options from Amazon, Microsoft, Google and Oracle.
So how should CISOs or other security professionals respond to this? We recommend these best practices as the building blocks of a comprehensive, proactive strategy:
- Inventory the entire landscape – and then do it again. The company’s digital ecosystem constantly changes: the company may have just finalized a merger or acquisition, and now it’s inherited hundreds of additional users. Or a recently launched business strategy could require across-the-board investment in new tech tools for an entire department. That’s why security teams must initiate the complete reconnaissance of these assets to see if there are any that the team doesn’t know about. Spoiler alert: There probably are. It starts with awareness, after all. Once the team takes an inventory all that’s “out there” (instead of strictly what’s in the cloud), it can engage in regular patching and other security measures. In addition – because the company’s footprint always evolves – the team needs to go into “reconnaissance mode” on a routine basis.
- Eliminate misconfigurations and exposures. Sure, zero-day exploits and major vulnerabilities dominate the Twitter buzz and headlines. But, as indicated by our findings, companies are more likely to fall victim to an attack because of misconfigurations and exposures – that’s what threat actors often first seek out when targeting a potential victim organization. So apply good cyber hygiene to these areas, including zero-trust, multi-factor authentication and the regular auditing of internet-facing assets.
- Get ahead of domain scam artists. It’s unsettling that organizations are linked to literally dozens of domain registrars, especially if IT-security teams remain in the dark about their existence. Employee-users, for example, may register their own without notifying the teams. Threat actors are well-aware of this, and take advantage by creating fake domains which closely resemble actual ones. They can, for instance, substitute “5” for an “S” in the legitimate domain to launch phishing attacks through brand impersonation.
A proactive approach works best here. Fuzzing tools can help the team discover lookalike domains that attackers can use to compromise a brand’s employees and customers. Security teams also want to keep track of domains that are about to expire, and conduct preemptive strikes by creating and purchasing “fake” domain names internally so threat actors can’t use them.
The internet attack surface has become widely sprawling and vast and it’s only going to get bigger as employee-users pursue more digital tools and resources. As the old adage goes, companies can’t protect what they don’t know. Through regular, comprehensive inventories and identifications of all assets, misconfigurations-exposures, and domains – and applying old-fashioned, but proven cybersecurity hygiene accordingly – security teams will stay ahead of threat actors who look to exploit these risk areas. As a result, organizations will render them far less capable of doing any damage.
Emily Austin, research scientist, Censys