Exposed! Is Vital Company Information Available on At-Risk Databases?
Reposify Report Found Assets Unprotected
By Roy Urrico
Finopotamus aims to highlight white papers, surveys, analyses, news items and reports that provide a glimpse as to what could, or potentially, impact credit unions and other organizations in the financial services industry.
Cybersecurity is essential for digital business, but are cybersecurity leaders practicing what they preach? A Reposify Cybersecurity Industry: State of the External Attack Surface report, which mapped the security posture of 35 multinational cybersecurity companies and their 350-plus subsidiaries, found more than half of leading cybersecurity firms host at-risk assets — any valuable data, device or other component of an organization’s systems.
Reposify, a Tel Aviv, Israel-based external attack surface management (EASM) provider focused on a two-week window in January 2022 and discovered 258.2 million exposed assets across all industries.
Reposify’s research team analyzed the prevalence of key visible risks, which potential attackers could leverage. These include known vulnerabilities, like misconfigurations and human error. The various security issues identified ranged from low and medium severity to critical severity.
Some 58% of issues discovered fell into the category of medium severity across databases, remote access sites and cloud service providers covering multiple industries, including financial services.
Distributed Assets at Risk
“Despite domain expertise and in-depth knowledge of cyber risk, our findings clearly demonstrate how cybersecurity companies still have critical security blind spots,” said Yaron Tal, founder and CTO at Reposify. “Distributed assets mean no industry is immune to cyberthreats. It is critical that every organization arm security teams with complete, 24/7 visibility. Asset inventories are ever-changing; only a real-time automated inventory can keep security personnel up to date for shortened time to remediation. This problem will only become more pronounced as the global economy, and its digital footprint, continues growing.”
In addition, Reposify found unknown assets — not part of the organization’s formal external profile such as various test servers, IoT devices, login pages, and temporary services exposed either by misconfiguration, or by human error — consistently rank as a main vulnerability when it comes to cyberthreats. Nearly all (97.14%) of security companies have exposed assets on its Amazon Web Services (AWS) and 89% on remote access sites on the internet. In addition, 42% of the assets classified as at “high” or “critical” risk.
Reposify’s report suggested that distributed assets are multiplying as a result of global digital transformation, increased reliance on cloud-service providers and third-party vendors, as well as the transition to hybrid work environments. This has put a strain on external attack surface management.
Tal added, “As paragons of cybersecurity expertise, leading companies must lead by example, and harden their external attack surface security to make it more difficult for attackers to gain a foothold in their systems, beginning with a clear view of their external attack surface and continuous monitoring and elimination of risky attack vectors.”
Breakdown of Exposures
This Reposify report also presented information about prevalent exposures of services, sensitive platforms, common vulnerabilities and exposures (CVEs) and other security issues.
The following is a summary of some of the report’s findings:
· Exposed Services. Reposify’s EASM platform analyzed the prevalence of exposed sensitive services among cybersecurity companies. Findings included 80% with exposed network assets, reflecting the impact of decentralized IT control; 86% of with at least one sensitive remote access service exposed; and 63% with exposed back office internal networks, demonstrating that even internal configurations are not immune to breaches.
· Sensitive Exposed Platforms. These span remote access platforms, development tools (DevTools), storage and backups, and remote communication tools, among others. Reposify said these asset categories are highly sensitive, and the consequence of a breach is severe. The report found 91% of web servers identified as Nginx and Apache hosted exposed assets; 88% of exposed platforms accessible via OpenSSH; and 85% of cybersecurity companies had an exposed asset on Internet Information Services (IIS).
· Exposed remote access protocols. The demand for remote access platforms skyrocketed as employees transitioned to the home environment in the aftermath of the pandemic, and many companies now embrace global remote hiring practices. The report found exposures in these platforms such as OpenSSH, which had nearly twice the amount (90%) of exposed assets compared to remote desktop protocol (RDP), a popular practice for remote access to Windows-based machines (47%).
· Exposed Databases. These are among the most vulnerable to cybersecurity threat. Reposify identified over half (51%) of the companies as hosting an exposed database. It also found that out of the companies identified as having exposed database, 72% have unprotected PostgreSQL databases, followed by Oracledb with 50%. MySQL and Microsoft SQL are the least exposed platforms - with 28% and 21% respectively.
· Exposed storage and backup assets. Though file transfer protocols (FTPs), used for file sharing within external networks, are useful as a communication protocol, Reposify recommended it is a best practice to avoid use altogether as they lack built-in authentication. The research found that the majority of FTPs were either not behind a virtual private network or set up to allow for “anonymous authentication,” which allows the user to login without a username or password for verification. Despite efforts to avoid them altogether, 57% of cybersecurity companies revealed exposed FTP services. Reposify also found exposures on Amazon S3 (14%), Azure Blob Storage (9%) and rsync (6%), but at a significantly lower rate than that of FTPs.
· Exposed development tools (DevTools). Left out of date, DevTools can easily leak information such as source code, business analytics, and unprotected API endpoints and increase the probability of a supply chain attacks. Hackers can also attach malicious code otherwise legitimate applications, like SolarWinds, PHP related services, CodeDev and others. Reposify discovered 50% of cybersecurity companies using the web framework Express had exposed development tools; and Tableau and Jenkins saw 21% and 29% of companies with exposed DevTools on its servers.
· Exposed web servers. Web server vulnerabilities are continually changing with SQL injection, cross-site scripting (XSS), distributed denial of service (DDoS) or cross-site request forgery (CSRF) just a few methods attackers use to infiltrate web servers, but as digital solutions become more sophisticated, so do means of attack. Reposify found that Nginx (83%) and Apache (80%) were the most common web servers with exposed assets. Closely following them was Internet Information Services (IIS), with 66% and Gunicorn with 11%.
· Common cloud providers with exposed assets. Reposify analyzed the top cloud providers to assess the number of cybersecurity companies with exposed assets in the cloud, with critical findings. Nearly all – 97.14% – of cybersecurity companies hosted exposed assets in Amazon Web Services (AWS) cloud platform. Microsoft Azure followed with 82%, and Google came in with 76%.