Internet-exposed assets reveal industry vulnerability profiles
New analysis from CyCognito of over two million internet-exposed assets, across on-prem, cloud, APIs, and web apps, identifies exploitable assets across several key industries, using techniques that simulate real-world attacker behavior.
Techniques used include black-box pentesting using 90,000+ exploit modules, credential stuffing simulations, data exposure detection, etc. The study also used Dynamic Application Security Testing (DAST) to identify runtime web application vulnerabilities, as well as active vulnerability scanning of internet-facing services to detect CVEs, misconfigurations, and exposed assets.
Cloud assets account for 13.6 percent of those exposed, APIs 20.8 percent and web applications 19.6 percent. The proliferation of APIs and web apps, especially via shadow IT and third-party integrations, makes them easy to introduce but hard to govern.
Education is the sector with the highest exposure of vulnerable assets (31 percent), followed by professional services (28 percent) and retail (27 percent). Government (26 percent) and media (21 percent) round out the top five.
Risk signatures vary between sectors, for education, it’s often the concentration of sensitive personal data on undermanaged and outdated systems. For retail, it’s the reliance on interconnected vendors and e-commerce platforms that expand the attack surface. For government systems, it’s often the combination of legacy technology and publicly exposed services that creates points of vulnerability.
The context of who owns an exposed asset, what it does, and especially how attackers see it in the context of a broader network is where exposure management needs to focus.
Zohar Venturero, data scientist at CyCognito writes on the company’s blog, “By contributing our findings, we hope to support a broader awareness, helping defenders, decision-makers, and organizations make more informed choices. We believe that shared insight leads to shared resilience. The more viewpoints we bring together, the better equipped we are to protect what matters.”
You can read more on the CyCognito blog.
Image credit: Nmedia/Dreamstime.com