The latest report sounds the alarm for CIOs and CISOs: the attack surface of information systems continues to fluctuate and is becoming out of control! Some worrying figures should call for awareness and an urgent move to action.
With the Cloud, whatever its form, the attack surface of the Extended Information System has not only expanded but, above all, it has acquired a changing nature, which makes its visibility and management more complex. The “Attack Surface Threat Report” from researchers at Unit 42 of Palo Alto Networks provides some edifying figures and some cold realities on the difficulties – not to say inabilities – of companies in managing the attack surface of their IS.
It should be seen as a wake-up call for CIOs and CISOs. Here is a summary of the key points that deserve their immediate attention.
RDP is an Achilles’ Heel
This is one of the most informative figures in the report: in 85% of companies, the very fragile and targeted RDP (Remote Desktop Protocol) protocol is accessible from the Internet. This vulnerability exposes businesses to ransomware attacks and unauthorized login attempts. It is high time to close these gaping holes in the IS.
The Cloud: A double-edged sword
From now on, and this is obvious, the Cloud has become the dominant attack surface for our IT systems, representing 80% of security risks, according to this new report!
Although the Cloud offers flexibility and scalability while offering fundamental best practices (the famous ANSSI Back to Basics) by default, it also presents considerable risks due to the sharing of roles and the lack of control of cloud configurations.
Nearly half of high or critical risk exposures in the Cloud are due to the deployment of new services each month. The report shows that:
– Cloud-based IT infrastructure is constantly fluctuating: adding new services or replacing old ones is transforming by more than 20% every month!
– This constant rotation of services generates 45% of new cyber risks introduced monthly.
– Around 95% of end-of-life (EOL) software systems in the organizations studied in this report are hosted in the Cloud. This suggests that companies are slower to decommission outdated Cloud systems than those hosted on their own infrastructures. This also shows that certain companies are taking advantage of the Cloud to switch bulky obsolete systems out of their data center but are not applying the defensive reinforcement required by machines that are no longer patched and are, therefore, more vulnerable.
– Similarly, 75% of vulnerabilities spotted in enterprise development infrastructures were identified in cloud environments, making them particularly attractive to cyber attackers.
“Organizations need to monitor their attack surface because it is constantly changing actively, and without continuous visibility, there will be several unknown routine exposures that attackers can exploit,” said Matt Kraning, CTO of Cortex Xpanse.
Automation of attackers
Cybercriminals are using automation to exploit vulnerabilities at an alarming rate. They can scan the IPv4 address space in minutes and exploit newly discovered vulnerabilities in hours.
Here again, the report gives some chilling figures:
– Three of the 30 common vulnerabilities and exposures (CVEs) analyzed were exploited within hours of public disclosure, and 63% within 12 weeks.
– Of the 15 RCE (Remote Code Execution) vulnerabilities analyzed by Unit 42, ransomware gangs targeted 20% in the hours following public information, and 40% were exploited within eight weeks of publication.
Understanding your attack surface
To better understand the priorities of cyber criminals and their techniques, Unit 42 researchers took a closer look at the main entry routes exploited in the attack surface of the 250 companies studied.
The most frequent are attacks against web frameworks (22.8%), followed by remote access services (20.1%; see the first paragraph on RDP) and poorly configured or obsolete systems (17.1%). , file sharing (12.1%), and databases (9.5%).
TOP 9 primary exposures identified in the attack surface and used by cyber attackers.
As a reminder, attacks against web frameworks typically target solutions like WordPress and Drupal to take control of websites and applications. Likewise, systems that need to be updated are easy prey for cyberattackers since they are easy to spot, and known vulnerabilities are always easier to exploit. Remote access services are doors open to information systems either through exploiting flaws in their protocols or, more often, after compromise of an account and theft of identifiers. Because of the data they contain, databases are tempting targets, with cybercriminals sometimes taking advantage of vulnerabilities but more often of misconfigurations and credential theft. As for file sharing systems, they have always been a source of vulnerability in the attack surface, and with online services like OneDrive, GDrive, Box, and DropBox, the risks of incorrect rights assignments multiply.
Strategic sectors in danger
As is often the case in such reports, the researchers also conducted a sectoral analysis. They, therefore, sought to know which risks in the attack surface were targeted as a priority depending on the sector:
– Financial Services: 38% of risks are linked to file-sharing services.
– National Administrations: 46% of risks are linked to the lack of security for file sharing and databases.
– Health: 56% of development environments are poorly configured.
– Energy and Collective Services: 47% of risks are linked to dashboards accessible via the Internet.
The Unit42 report, one of the rare reports to focus solely on the issue of the attack surface, should be received as a call to action for CIOs and CISOs. It’s a reminder that you have to know how to accept. It provides fascinating insights to prioritize actions, anticipate risks, and ultimately better protect the company’s resources by better controlling its attack surface. Take action!
Also Read : Computer Security Tools
