Some Key Insights <\/h2>\n\n\n\n\n- Web server environments, including platforms like Apache, NGINX, Microsoft IIS, and Google Web Server, were the host of one in three (34%) of all severe issues across surveyed assets. <\/li>\n\n\n\n
- 15% of all severe issues on the attack surface affect platforms using TLS or HTTP protocols. TLS issues are significant for all network-delivered data, but web apps especially so; web apps lacking encryption are currently ranked #2 of the OWASP Top 10. <\/li>\n\n\n\n
- Only half of surveyed web interfaces that handle personally identifiable information (PII) were protected by a WAF. <\/li>\n\n\n\n
- Despite HTTPS celebrating its 30th birthday this year, almost one in three (31%) of surveyed web interfaces failed to implement it. <\/li>\n\n\n\n
- More than 60% of the web interfaces that expose PII and lack HTTPS also lack a WAF. <\/li>\n\n\n\n
- Over half of ecommerce assets store or collect PII and a quarter (26%) of PII assets are unprotected by a WAF. <\/li>\n\n\n\n
- CyCognito\u2019s enhanced asset and issue context allowed the priority level of one in three (32%) of vulnerabilities to be downgraded. <\/li>\n<\/ul>\n\n\n\n
These were some of the most impactful findings from our report, but the full report has plenty of additional insights about assets, issues, and prioritization. However, if you\u2019re interested in the biggest lessons we learned by examining the data, we found three main takeaways. <\/p>\n\n\n\n
Looking for Critical Issues? Check the Web Servers <\/h2>\n\n\n\n
Web server environments, encompassing popular platforms like Apache, NGINX, Microsoft IIS, and Google Web Server, represented a substantial portion of severe security issues\u2014accounting for 34% of all critical vulnerabilities among all examined assets. <\/p>\n\n\n\n
Although the data processed by web servers can often be harmless, these servers frequently provide direct access to sensitive databases containing personal user information (PII) and financial data, such as payment details for online transactions, which can pose significant risks if compromised.<\/p>\n\n\n\n![\"\"](\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/Cycognito_Report-Illustrations_CyCognito-1.webp\")
<\/figure>\n\n\n\n<\/p>\n\n\n\n
It\u2019s not the first time we\u2019ve seen dangers from Apache products. Take, for instance, the Log4J vulnerability in Apache software<\/a>, which emerged as one of the most significant cybersecurity incidents in recent years. Despite the widespread awareness and urgency to identify and fix vulnerable systems, the Cybersecurity and Infrastructure Security Agency (CISA) warned that this vulnerability had become deeply ingrained in many systems. They projected that vulnerable instances would continue to surface within critical infrastructure for at least a decade, if not longer.<\/p>\n\n\n\nIn our research, we discovered that instead of a decline of assets vulnerable to Log4J, some organizations experienced a significant increase in the number of vulnerable assets in the months following the disclosure of this flaw. In fact, over the last year, organizations we surveyed reported more than 260,000 critical vulnerabilities associated with Apache products, including Apache Tomcat and Apache Traffic Server.<\/p>\n\n\n\n
WAFs AWOL<\/h2>\n\n\n\n
When we talk about the attack surface or the software supply chain, we often talk about the dangers of unknown assets, but under-managed assets can pose just as big of a risk. Security teams are aware of these assets but may not realize that they are missing basic safeguards, exposing organizations to critical risks. We took a look at a few examples of security measures that we often see neglected as examples of what security teams can look for: web application firewalls (WAFs) and a lack of encryption (like HTTPS). <\/p>\n\n\n\n![\"\"](\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/Cycognito_Report-Illustrations_CyCognito-2.webp\")
<\/figure>\n\n\n\n<\/p>\n\n\n\n
The need for HTTPS might sound like old news but we found that it\u2019s a challenge on the modern attack surface. Failures of cryptographic protocols are serious and sadly common \u2013 the Open Worldwide Application Security Project (OWASP) currently ranks them as #2 in its Top 10. We found that 15% of all severe issues across attack surfaces we surveyed affect these platforms.\u00a0<\/p>\n\n\n\n
This is a big deal.<\/strong> Imagine a group of 100 web interfaces belonging to your organization. We found that on average, 31 of those assets wouldn\u2019t have implemented HTTPS. If we look just at assets that could potentially expose PII, the issues grow even more serious: only half of surveyed web interfaces that could potentially expose PII were protected by a WAF. <\/p>\n\n\n\n![\"\"](\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/Cycognito_Report-Illustrations_CyCognito-3.webp\")
<\/figure>\n\n\n\n<\/p>\n\n\n\n
This is not to say that WAFs or encrypted connections are the be-all-and-end-all of protection, but rather that organizations should be asking themselves, \u201cif there are assets in our software supply chain that lack these basic security measures, what else are they missing?\u201d The lack of fundamentals indicates that these potentially valuable assets remain dangerously unprotected.\u00a0<\/p>\n\n\n\n
Do More By Doing Less<\/h2>\n\n\n\n
Many organizations base their issue prioritization solely on CVSS or EPSS scores. While this is a great starting point, provide only a basic understanding of the impact of a vulnerability and lack any specific context about the impacted environment or organization affected. Security teams can manually fill in some of this context themselves, but when an attack surface includes nearly half a million digital assets, those kinds of efforts can\u2019t keep up. <\/p>\n\n\n\n
Additional context\u2014such as the attractiveness of the affected asset to attackers, whether the vulnerability is currently being exploited by threat actors, and the potential to access other critical systems through exploitation\u2014is critical, however, because it can prioritize vulnerabilities that are more likely to lead to security breaches while deprioritizing those that pose less of a threat.<\/p>\n\n\n\n
CyCognito\u2019s Enhanced Severity Score offers a more comprehensive assessment of vulnerability severity. It highlights critical issues that might be missed when relying solely on CVSS or EPSS scores and downgrades issues that, although seemingly severe, are tied to assets that are hard to locate or exploit. By downgrading these less critical issues, security teams can avoid spending time on low-priority vulnerabilities, allowing them to focus on preventing urgent external threats.<\/p>\n\n\n\n![\"\"](\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/Cycognito_Report-Illustrations_CyCognito-4.webp\")
<\/figure>\n\n\n\n<\/p>\n\n\n\n
CyCognito\u2019s enhanced context allowed the priority of 32% of vulnerabilities to be downgraded\u2014this resulted in the deprioritization of over 235,000 issues over 12 months. This trend was consistent across all organizations surveyed. For more information on how an organization used context to accelerate their external attack surface management, check out this case study from Asklepios<\/a>.\u00a0<\/p>\n\n\n\nInterested in Learning More? <\/h2>\n\n\n\n
To read more about the trends we found, check out the 2024 State of External Exposure Management Report.\u00a0<\/p>\n\n\n\n
To learn more about CyCognito\u2019s platform and see it in action, explore our platform with a self-guided, interactive dashboard product tour<\/a>. If you\u2019d like to chat to an expert about external risks that might affect your organization, you can schedule a demo at https:\/\/www.cycognito.com\/demo\/<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"CyCognito just published our 2024 State of External Exposure Management Report. In this report, we looked at where serious issues hide on the average attack surface, how basic protections can help (or fail to) protect critical assets, and the ways that deprioritizing issues can help security teams spend their time on the right vulnerabilities. <\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[229,3],"tags":[33,184,16],"class_list":["post-1115","post","type-post","status-publish","format-standard","hentry","category-featured","category-research","tag-exposure-management","tag-report","tag-research"],"yoast_head":"\n
Defensive Playbook: Understanding New Trends in External Risk with CyCognito\u2019s State of External Exposure Management Report | CyCognito Blog<\/title>\n<meta name=\"description\" content=\"In this report, we looked at where serious issues hide on the average attack surface, how basic protections can help (or fail to) protect critical assets, and the ways that deprioritizing issues can help security teams spend their time on the right vulnerabilities.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.cycognito.com\/blog\/defensive-playbook-understanding-new-trends-in-external-risk-with-cycognitos-state-of-external-exposure-management-report\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Defensive Playbook: Understanding New Trends in External Risk with CyCognito\u2019s State of External Exposure Management Report\" \/>\n<meta property=\"og:description\" content=\"In this report, we looked at where serious issues hide on the average attack surface, how basic protections can help (or fail to) protect critical assets, and the ways that deprioritizing issues can help security teams spend their time on the right vulnerabilities.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.cycognito.com\/blog\/defensive-playbook-understanding-new-trends-in-external-risk-with-cycognitos-state-of-external-exposure-management-report\/\" \/>\n<meta property=\"og:site_name\" content=\"CyCognito Blog\" \/>\n<meta property=\"article:published_time\" content=\"2024-09-23T15:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-03-13T17:55:21+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/banner-blog-2024-09-23-2400x1256-email.png\" \/>\n\t<meta property=\"og:image:width\" content=\"2400\" \/>\n\t<meta property=\"og:image:height\" content=\"1256\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Emma Zaballos\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Emma Zaballos\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/defensive-playbook-understanding-new-trends-in-external-risk-with-cycognitos-state-of-external-exposure-management-report\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/defensive-playbook-understanding-new-trends-in-external-risk-with-cycognitos-state-of-external-exposure-management-report\/\"},\"author\":{\"name\":\"Emma Zaballos\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/42c314196e7f096a74bd885693643d58\"},\"headline\":\"Defensive Playbook: Understanding New Trends in External Risk with CyCognito\u2019s State of External Exposure Management Report\",\"datePublished\":\"2024-09-23T15:00:00+00:00\",\"dateModified\":\"2025-03-13T17:55:21+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/defensive-playbook-understanding-new-trends-in-external-risk-with-cycognitos-state-of-external-exposure-management-report\/\"},\"wordCount\":1206,\"publisher\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/defensive-playbook-understanding-new-trends-in-external-risk-with-cycognitos-state-of-external-exposure-management-report\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/Cycognito_Report-Illustrations_CyCognito-1.webp\",\"keywords\":[\"Exposure Management\",\"Report\",\"Research\"],\"articleSection\":[\"Featured\",\"Research\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/defensive-playbook-understanding-new-trends-in-external-risk-with-cycognitos-state-of-external-exposure-management-report\/\",\"url\":\"https:\/\/www.cycognito.com\/blog\/defensive-playbook-understanding-new-trends-in-external-risk-with-cycognitos-state-of-external-exposure-management-report\/\",\"name\":\"Defensive Playbook: Understanding New Trends in External Risk with CyCognito\u2019s State of External Exposure Management Report | CyCognito Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/defensive-playbook-understanding-new-trends-in-external-risk-with-cycognitos-state-of-external-exposure-management-report\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/defensive-playbook-understanding-new-trends-in-external-risk-with-cycognitos-state-of-external-exposure-management-report\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/Cycognito_Report-Illustrations_CyCognito-1.webp\",\"datePublished\":\"2024-09-23T15:00:00+00:00\",\"dateModified\":\"2025-03-13T17:55:21+00:00\",\"description\":\"In this report, we looked at where serious issues hide on the average attack surface, how basic protections can help (or fail to) protect critical assets, and the ways that deprioritizing issues can help security teams spend their time on the right vulnerabilities.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/defensive-playbook-understanding-new-trends-in-external-risk-with-cycognitos-state-of-external-exposure-management-report\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.cycognito.com\/blog\/defensive-playbook-understanding-new-trends-in-external-risk-with-cycognitos-state-of-external-exposure-management-report\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/defensive-playbook-understanding-new-trends-in-external-risk-with-cycognitos-state-of-external-exposure-management-report\/#primaryimage\",\"url\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/Cycognito_Report-Illustrations_CyCognito-1.webp\",\"contentUrl\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/Cycognito_Report-Illustrations_CyCognito-1.webp\",\"width\":1224,\"height\":792},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/defensive-playbook-understanding-new-trends-in-external-risk-with-cycognitos-state-of-external-exposure-management-report\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.cycognito.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Defensive Playbook: Understanding New Trends in External Risk with CyCognito\u2019s State of External Exposure Management Report\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#website\",\"url\":\"https:\/\/www.cycognito.com\/blog\/\",\"name\":\"Cycognito Blog\",\"description\":\"Research, Product News and Latest Updates\",\"publisher\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.cycognito.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#organization\",\"name\":\"Cycognito\",\"url\":\"https:\/\/www.cycognito.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png\",\"contentUrl\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png\",\"width\":1720,\"height\":550,\"caption\":\"Cycognito\"},\"image\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/42c314196e7f096a74bd885693643d58\",\"name\":\"Emma Zaballos\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/7ff812a5ab34a955a1e815e6719c68a7?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/7ff812a5ab34a955a1e815e6719c68a7?s=96&d=mm&r=g\",\"caption\":\"Emma Zaballos\"},\"description\":\"Product Marketing Manager\",\"url\":\"https:\/\/www.cycognito.com\/blog\/author\/emma-zaballos\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Defensive Playbook: Understanding New Trends in External Risk with CyCognito\u2019s State of External Exposure Management Report | CyCognito Blog","description":"In this report, we looked at where serious issues hide on the average attack surface, how basic protections can help (or fail to) protect critical assets, and the ways that deprioritizing issues can help security teams spend their time on the right vulnerabilities.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.cycognito.com\/blog\/defensive-playbook-understanding-new-trends-in-external-risk-with-cycognitos-state-of-external-exposure-management-report\/","og_locale":"en_US","og_type":"article","og_title":"Defensive Playbook: Understanding New Trends in External Risk with CyCognito\u2019s State of External Exposure Management Report","og_description":"In this report, we looked at where serious issues hide on the average attack surface, how basic protections can help (or fail to) protect critical assets, and the ways that deprioritizing issues can help security teams spend their time on the right vulnerabilities.","og_url":"https:\/\/www.cycognito.com\/blog\/defensive-playbook-understanding-new-trends-in-external-risk-with-cycognitos-state-of-external-exposure-management-report\/","og_site_name":"CyCognito Blog","article_published_time":"2024-09-23T15:00:00+00:00","article_modified_time":"2025-03-13T17:55:21+00:00","og_image":[{"width":2400,"height":1256,"url":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/banner-blog-2024-09-23-2400x1256-email.png","type":"image\/png"}],"author":"Emma Zaballos","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Emma Zaballos","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.cycognito.com\/blog\/defensive-playbook-understanding-new-trends-in-external-risk-with-cycognitos-state-of-external-exposure-management-report\/#article","isPartOf":{"@id":"https:\/\/www.cycognito.com\/blog\/defensive-playbook-understanding-new-trends-in-external-risk-with-cycognitos-state-of-external-exposure-management-report\/"},"author":{"name":"Emma Zaballos","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/42c314196e7f096a74bd885693643d58"},"headline":"Defensive Playbook: Understanding New Trends in External Risk with CyCognito\u2019s State of External Exposure Management Report","datePublished":"2024-09-23T15:00:00+00:00","dateModified":"2025-03-13T17:55:21+00:00","mainEntityOfPage":{"@id":"https:\/\/www.cycognito.com\/blog\/defensive-playbook-understanding-new-trends-in-external-risk-with-cycognitos-state-of-external-exposure-management-report\/"},"wordCount":1206,"publisher":{"@id":"https:\/\/www.cycognito.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.cycognito.com\/blog\/defensive-playbook-understanding-new-trends-in-external-risk-with-cycognitos-state-of-external-exposure-management-report\/#primaryimage"},"thumbnailUrl":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/Cycognito_Report-Illustrations_CyCognito-1.webp","keywords":["Exposure Management","Report","Research"],"articleSection":["Featured","Research"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.cycognito.com\/blog\/defensive-playbook-understanding-new-trends-in-external-risk-with-cycognitos-state-of-external-exposure-management-report\/","url":"https:\/\/www.cycognito.com\/blog\/defensive-playbook-understanding-new-trends-in-external-risk-with-cycognitos-state-of-external-exposure-management-report\/","name":"Defensive Playbook: Understanding New Trends in External Risk with CyCognito\u2019s State of External Exposure Management Report | CyCognito Blog","isPartOf":{"@id":"https:\/\/www.cycognito.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.cycognito.com\/blog\/defensive-playbook-understanding-new-trends-in-external-risk-with-cycognitos-state-of-external-exposure-management-report\/#primaryimage"},"image":{"@id":"https:\/\/www.cycognito.com\/blog\/defensive-playbook-understanding-new-trends-in-external-risk-with-cycognitos-state-of-external-exposure-management-report\/#primaryimage"},"thumbnailUrl":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/Cycognito_Report-Illustrations_CyCognito-1.webp","datePublished":"2024-09-23T15:00:00+00:00","dateModified":"2025-03-13T17:55:21+00:00","description":"In this report, we looked at where serious issues hide on the average attack surface, how basic protections can help (or fail to) protect critical assets, and the ways that deprioritizing issues can help security teams spend their time on the right vulnerabilities.","breadcrumb":{"@id":"https:\/\/www.cycognito.com\/blog\/defensive-playbook-understanding-new-trends-in-external-risk-with-cycognitos-state-of-external-exposure-management-report\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.cycognito.com\/blog\/defensive-playbook-understanding-new-trends-in-external-risk-with-cycognitos-state-of-external-exposure-management-report\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.cycognito.com\/blog\/defensive-playbook-understanding-new-trends-in-external-risk-with-cycognitos-state-of-external-exposure-management-report\/#primaryimage","url":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/Cycognito_Report-Illustrations_CyCognito-1.webp","contentUrl":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/Cycognito_Report-Illustrations_CyCognito-1.webp","width":1224,"height":792},{"@type":"BreadcrumbList","@id":"https:\/\/www.cycognito.com\/blog\/defensive-playbook-understanding-new-trends-in-external-risk-with-cycognitos-state-of-external-exposure-management-report\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.cycognito.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Defensive Playbook: Understanding New Trends in External Risk with CyCognito\u2019s State of External Exposure Management Report"}]},{"@type":"WebSite","@id":"https:\/\/www.cycognito.com\/blog\/#website","url":"https:\/\/www.cycognito.com\/blog\/","name":"Cycognito Blog","description":"Research, Product News and Latest Updates","publisher":{"@id":"https:\/\/www.cycognito.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.cycognito.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.cycognito.com\/blog\/#organization","name":"Cycognito","url":"https:\/\/www.cycognito.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png","contentUrl":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png","width":1720,"height":550,"caption":"Cycognito"},"image":{"@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/42c314196e7f096a74bd885693643d58","name":"Emma Zaballos","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/7ff812a5ab34a955a1e815e6719c68a7?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/7ff812a5ab34a955a1e815e6719c68a7?s=96&d=mm&r=g","caption":"Emma Zaballos"},"description":"Product Marketing Manager","url":"https:\/\/www.cycognito.com\/blog\/author\/emma-zaballos\/"}]}},"_links":{"self":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts\/1115","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/comments?post=1115"}],"version-history":[{"count":11,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts\/1115\/revisions"}],"predecessor-version":[{"id":1429,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts\/1115\/revisions\/1429"}],"wp:attachment":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/media?parent=1115"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/categories?post=1115"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/tags?post=1115"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
These were some of the most impactful findings from our report, but the full report has plenty of additional insights about assets, issues, and prioritization. However, if you\u2019re interested in the biggest lessons we learned by examining the data, we found three main takeaways. <\/p>\n\n\n\n
Looking for Critical Issues? Check the Web Servers <\/h2>\n\n\n\n
Web server environments, encompassing popular platforms like Apache, NGINX, Microsoft IIS, and Google Web Server, represented a substantial portion of severe security issues\u2014accounting for 34% of all critical vulnerabilities among all examined assets. <\/p>\n\n\n\n
Although the data processed by web servers can often be harmless, these servers frequently provide direct access to sensitive databases containing personal user information (PII) and financial data, such as payment details for online transactions, which can pose significant risks if compromised.<\/p>\n\n\n\n <\/p>\n\n\n\n It\u2019s not the first time we\u2019ve seen dangers from Apache products. Take, for instance, the Log4J vulnerability in Apache software<\/a>, which emerged as one of the most significant cybersecurity incidents in recent years. Despite the widespread awareness and urgency to identify and fix vulnerable systems, the Cybersecurity and Infrastructure Security Agency (CISA) warned that this vulnerability had become deeply ingrained in many systems. They projected that vulnerable instances would continue to surface within critical infrastructure for at least a decade, if not longer.<\/p>\n\n\n\n In our research, we discovered that instead of a decline of assets vulnerable to Log4J, some organizations experienced a significant increase in the number of vulnerable assets in the months following the disclosure of this flaw. In fact, over the last year, organizations we surveyed reported more than 260,000 critical vulnerabilities associated with Apache products, including Apache Tomcat and Apache Traffic Server.<\/p>\n\n\n\n When we talk about the attack surface or the software supply chain, we often talk about the dangers of unknown assets, but under-managed assets can pose just as big of a risk. Security teams are aware of these assets but may not realize that they are missing basic safeguards, exposing organizations to critical risks. We took a look at a few examples of security measures that we often see neglected as examples of what security teams can look for: web application firewalls (WAFs) and a lack of encryption (like HTTPS). <\/p>\n\n\n\n <\/p>\n\n\n\n The need for HTTPS might sound like old news but we found that it\u2019s a challenge on the modern attack surface. Failures of cryptographic protocols are serious and sadly common \u2013 the Open Worldwide Application Security Project (OWASP) currently ranks them as #2 in its Top 10. We found that 15% of all severe issues across attack surfaces we surveyed affect these platforms.\u00a0<\/p>\n\n\n\n This is a big deal.<\/strong> Imagine a group of 100 web interfaces belonging to your organization. We found that on average, 31 of those assets wouldn\u2019t have implemented HTTPS. If we look just at assets that could potentially expose PII, the issues grow even more serious: only half of surveyed web interfaces that could potentially expose PII were protected by a WAF. <\/p>\n\n\n\n <\/p>\n\n\n\n This is not to say that WAFs or encrypted connections are the be-all-and-end-all of protection, but rather that organizations should be asking themselves, \u201cif there are assets in our software supply chain that lack these basic security measures, what else are they missing?\u201d The lack of fundamentals indicates that these potentially valuable assets remain dangerously unprotected.\u00a0<\/p>\n\n\n\n Many organizations base their issue prioritization solely on CVSS or EPSS scores. While this is a great starting point, provide only a basic understanding of the impact of a vulnerability and lack any specific context about the impacted environment or organization affected. Security teams can manually fill in some of this context themselves, but when an attack surface includes nearly half a million digital assets, those kinds of efforts can\u2019t keep up. <\/p>\n\n\n\n Additional context\u2014such as the attractiveness of the affected asset to attackers, whether the vulnerability is currently being exploited by threat actors, and the potential to access other critical systems through exploitation\u2014is critical, however, because it can prioritize vulnerabilities that are more likely to lead to security breaches while deprioritizing those that pose less of a threat.<\/p>\n\n\n\n CyCognito\u2019s Enhanced Severity Score offers a more comprehensive assessment of vulnerability severity. It highlights critical issues that might be missed when relying solely on CVSS or EPSS scores and downgrades issues that, although seemingly severe, are tied to assets that are hard to locate or exploit. By downgrading these less critical issues, security teams can avoid spending time on low-priority vulnerabilities, allowing them to focus on preventing urgent external threats.<\/p>\n\n\n\n <\/p>\n\n\n\n CyCognito\u2019s enhanced context allowed the priority of 32% of vulnerabilities to be downgraded\u2014this resulted in the deprioritization of over 235,000 issues over 12 months. This trend was consistent across all organizations surveyed. For more information on how an organization used context to accelerate their external attack surface management, check out this case study from Asklepios<\/a>.\u00a0<\/p>\n\n\n\n To read more about the trends we found, check out the 2024 State of External Exposure Management Report.\u00a0<\/p>\n\n\n\n To learn more about CyCognito\u2019s platform and see it in action, explore our platform with a self-guided, interactive dashboard product tour<\/a>. If you\u2019d like to chat to an expert about external risks that might affect your organization, you can schedule a demo at https:\/\/www.cycognito.com\/demo\/<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":" CyCognito just published our 2024 State of External Exposure Management Report. In this report, we looked at where serious issues hide on the average attack surface, how basic protections can help (or fail to) protect critical assets, and the ways that deprioritizing issues can help security teams spend their time on the right vulnerabilities. <\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[229,3],"tags":[33,184,16],"class_list":["post-1115","post","type-post","status-publish","format-standard","hentry","category-featured","category-research","tag-exposure-management","tag-report","tag-research"],"yoast_head":"\n<\/figure>\n\n\n\nWAFs AWOL<\/h2>\n\n\n\n
<\/figure>\n\n\n\n<\/figure>\n\n\n\nDo More By Doing Less<\/h2>\n\n\n\n
<\/figure>\n\n\n\nInterested in Learning More? <\/h2>\n\n\n\n