CyCognito research staff analyzed data aggregated from hundreds of organizations to identify the top-level shadow risk trends that businesses with modern IT ecosystems face. The results reveal that organizations have a significant number of security blind spots, and those are often a by-product of interconnectivity with partners, cloud service providers and an organization’s own subsidiaries, as well as the fact that legacy security assessment solutions do not identify these blind spots.
The CyCognito platform marries sophisticated attacker reconnaissance techniques with large-scale data analysis. When applied to an individual organization, the results have proven indispensable for platform subscribers to better defend themselves. When the data collected by the platform is viewed in aggregate, it reveals a number of trends that cut across industries and organization sizes. In this blog, we reflect on: key trends identified, trend implications and how we gathered this data.
Key Trends Identified
The CyCognito research shows that:
- Organizations are unaware of as many as 75% of their IT assets.
- 82% of these hidden assets impact the organization’s cybersecurity posture and are managed by their cloud providers, partners or subsidiaries.
- 95% of these “unknown” and “unmanaged” assets were found to be blind spots that are not discovered by vulnerability scanners or even highly-trained penetration testing experts.
- 87% of organizations have critical exposures that are visible to attackers at a given point in time.
- 80% of organizations have critical network architecture flaws or gateway misconfigurations. Common examples include remote access servers (e.g., Citrix NetScalers, Juniper Unified Access Control, and Cisco Adaptive Security Appliances) that are misconfigured or have unpatched software.
- 30% of organizations have exposed software development environments (e.g., Git, Jenkins or Jfrog servers) that are accessible to attackers, primarily due to misconfigurations.
What do these facts and trends mean for the average organization? The serious implications of these data points may be readily obvious to security professionals, but let’s briefly review:
Enterprises must find a way to identify and assess the 75% of their attacker-exposed assets they don’t know about already.
While it’s stunning that even organizations with well-funded cybersecurity teams are blind to as many as 75% of their attacker-exposed assets, it’s not entirely surprising given the explosion in the enterprise IT ecosystem. Today, business viability means agility and interconnectivity with new environments spun up with a moment’s notice, partners integrated into the supply chain and acquired companies. That often comes at the expense of security visibility or controls. To compound the problem, most security solutions are designed for a 20th century network, not the distributed IT ecosystem of the 21st century, and do not help organizations discover the full extent of their attack surface assets.
The enterprise attack surface extends well beyond the assets managed by central security and IT teams, with 82% of unknown and unmanaged assets managed by cloud providers, partners or subsidiaries.
In the average organization’s IT ecosystem, there are connections to over 115 networks, most which are not managed by the organization. Enterprises are awakening to exposures from third-party vendors and the risk associated with the shared security model of cloud environments, but legacy tools don’t provide visibility to the assets that expose them outside their IT management sphere.
Virtually all (95%) of the assets unknown to an organization are not discovered by legacy tools and scanners — or even highly-trained penetration testing experts.
This lack of discovery is because legacy security assessment approaches are designed to help you test the asset environments you already know about: with legacy vulnerability scanners you select the IP ranges to scan. Thus you are working within your known IT universe, and the process by its nature is not going to discover the true unknowns. A bias toward known environments is there for penetration tests as well, though pen testers can be told to look broadly for assets. Nonetheless, with penetration testing, a lack of full visibility is further compounded by the fact that the testing is done on a very narrow slice of the enterprise IT ecosystem, typically just 1% or 2%.
87% of organizations have critical exposures that are visible to attackers at a given point in time.
Attacker-reconnaissance has grown increasingly sophisticated. Offensive scanning and exploitation tools have become cheaper, more automated, and widely available to threat actors, which gives them unprecedented visibility to unattended points of entry into their target organizations. An organization’s best response is to view their attacker-exposed assets in the same way that an attacker does, but on an even bigger and faster scale. Organizations have to eliminate all points of entry, while an attacker needs only one path in. But if organizations focus on attack vector discoverability, attractiveness and exploitability, it becomes clear which issues should be remediated first.
80% of organizations have network architecture or gateway misconfigurations that are not identified during regular cybersecurity hygiene.
Many of these misconfigurations occur in networking gear located in third-party networks that are outside the control or visibility of the organization, but they must be assessed by the organization as if they were their own. The implications are significant because these devices are meant to be network and security gatekeepers and have the capability of granting broad access to attackers and others who should not have access. These assets are typically located at the intersection of the organization’s network and third-party networks, and are overlooked by legacy security assessment solutions.
Misconfigurations of software development environments present a significant source of risk to 30% of organizations.
Software development organizations include technically savvy staff who are capable of setting up complex agile development environments and automated DevOps pipelines. Still, these developers and DevOps pros are seldom security experts, and modern SaaS development platforms operate on a shared responsibility model where users are expected to configure security. When misconfigurations and/or network architecture flaws are introduced, these types of assets are exposed, intellectual property theft can occur, and sophisticated attackers can look for software vulnerabilities they can later exploit or even introduce their own to be used as back-door channels.
How We Gathered the Data
The CyCognito platform gathers data using a nation-state-scale botnet that continuously analyzes every internet-exposed IT asset – approximately 3.5 billion in total – and fingerprints them by looking at things as diverse as their visual elements (e.g., logos and icons), keywords and code fragments, and what software is deployed on the assets, among other identifiers. The platform uses a graph data model to represent the relationships between assets and classify the business purpose of assets.
The data and trends reflected in this blog post are based on the analysis of CyCognito platform data aggregated across hundreds of organizations with IT assets around the globe.
Take full control over your attack surface by uncovering and