Balancing the risks and benefits of an online presence [Q&A]
The widespread use of digital platforms allows businesses to expand, but at the same time a growing internet presence can put organizations at risk in ways they cannot plan for.
We talked to Censys' data scientist, Emily Austin about the company's recent State of the Internet report and about how businesses can proactively fight against unknown domains and risks.
BN: A growing internet presence puts organizations at risk in ways they can’t plan for; how can organizations increase the visibility of their services on the internet while also remaining fully secure?
EA: Organizations are growing rapidly and need to take a new approach to visibility; gone are the days when one or two tools could cover the gaps in security and handle the speed at which a company's internet presence is growing. Companies often think their online presence consists solely of their public websites and web servers. But in practice, that digital footprint often looks different than expected. Organizations and leaders need to start thinking strategically about how to keep up with the ever-changing market while keeping their expanding attack surface secure.
Leaders need to look for a platform that provides a 360 view into their organization's landscape. This visibility helps gain a better understanding of what is available on the internet that perhaps shouldn't be, such as devices or services that should only be internally available to the organization. This can help balance growing business demands while maintaining the strongest possible security posture.
BN: The State of the Internet Report looked at 37 organizations and found that they used on average, 44 domain registrars as part of their internet presence. Why is using so many domain registrars concerning?
EA: While organizations often use more than one domain registrar for official business purposes, 44 is… a lot. Given the number of registrars observed in our study, it's very likely there are domains purchased by organizations that are beyond the view of their IT and security teams. If these domains expire and are purchased by threat actors, they can be weaponized for phishing and brand impersonation. This leaves security teams to deal with the attack and the repercussions they couldn’t proactively defend against.
BN: On average, these 37 companies have a presence in 17 different hosting providers -- including cloud, on-premises, and data centers. How does this sprawl impact security teams?
EA: With an average of 17 hosting providers per company in our study, it is almost impossible to know what data is stored on each. This spreads security teams thinner than they already are, making comprehensive inventory and defense of those assets more challenging–and in some cases, impossible.
Over the last two years, remote work contributed to this sprawl. New remote work demands are a primary driver of the reported 59 percent increase in shadow IT. This increased connectivity beyond the awareness of IT and security teams poses additional risk to organizations in the form of improperly managed devices and services connected to the internet.
BN: What kinds of risks are they exposing the company to? What should security teams look out for?
EA: Risks encompass settings or conditions that increase the potential for data breaches, information leaks, or destruction of assets. Misconfigurations and exposures account for 88 percent of observed internet-facing risks -- and are often remediated with strong security hygiene practices. Some of the most common risks across the internet are lack of common security headers, self-signed certificates and unencrypted authentication pages using basic or digest auth. While a lack of security headers or a self-signed certificate won't typically lead directly to an organization's crown jewels, they could be weaponized as part of an exploit chain, or lead to information exposure. Unencrypted authentication pages using basic or digest authentication methods are more dangerous. These authentication methods leave credentials vulnerable to interception when transmitted across an unencrypted connection (a.k.a., man-in-the-middle attack). While by no means a new tactic, credential theft is still a popular method for obtaining unauthorized entry into an organization.
Regular asset inventory and discovery is important–understanding what software and services exist in an environment is key to being able to protect and defend it effectively. Additionally, vulnerability and patch management practices are critical pieces of good security hygiene. This isn't said lightly, as there's often a fine line between a successful patch and an automated breaking change, but it’s important to keep software patched and up to date. Though not a comprehensive list, adding these practices to your security routine provides teams with a meaningful, proactive framework to strengthen their security posture.
BN: What are three things that all organizations can do to ensure they are practicing good security hygiene?
EA: Establishing a proactive plan is foundational to an organization's security hygiene. This security-first mindset allows organizations to focus on other priorities, brings awareness to teams and creates a more collaborative working environment. Here are three practices every organization should do on a routine basis:
- Scan the entire landscape -- and then do so again: There are several gaps threat actors can hide in – and many lie in areas you wouldn’t even think of. If your company has recently gone through a merger or acquisition, or perhaps rebranded, this opens the potential for security risks on assets unknown to your security team. As companies shift, teams should identify and establish a routine for monitoring all internet-facing assets in order to bring visibility directly in the hands of its security professionals. You can't secure what you don’t know exists.
- Eliminate misconfigurations and exposures: This is a crucial piece of defense for organizations. Threat actors often target an organization through misconfigurations and exposures because these represent an easy point of entry into an environment. Start by incorporating tools and practices such as zero-trust, multi-factor authentication and secure auditing for all internet-facing assets. It's also important to ensure your organization has a vulnerability management process and engages in regular patching.
- Get one step ahead of domain scammers: It's easy for even the most experienced security professionals to fall victim to spoofed website domains, especially through phishing attacks. And threat actors are getting more and more refined -- between creating fake website interfaces that look identical to their original to shifting the domain copy ever so slightly, security teams can leverage tools to monitor web domains, or even go as far as creating and purchasing lookalike domain names themselves so threat actors can't use them.