Is your external attack surface protected?

Sheila Zabeu -

September 21, 2021

Around three-quarters of Fortune 500 companies maintain IT infrastructure outside their organizations. The problem is that a quarter of this environment has been identified as suffering from already known vulnerabilities.

The figures were revealed by a study by Cyberpion, a cybersecurity firm specializing in External Attack Surface Management (EASM), which collected data from a single-pass scan over surfaces of the public internet assets of every Fortune 500 company during the first half of 2021.

One example of the vulnerabilities detected was the configuration of cloud storage resources that allows anyone to read or write data. The report also highlighted that on average, the IT infrastructure of Fortune 500 companies maintains 126 different login pages for customer or employee portals or services; the highest number was 3,000. In addition, nearly 10% of login pages were found to be insecure because they transmit unencrypted data or have issues with SSL certificates. As a result of these vulnerabilities, hackers can exploit these login systems to access data from these groups.

Another finding of the study was that Fortune 500 companies connect to an average of 951 cloud assets, of which almost 5% are vulnerable. For example, incorrectly configured AWS storage resources can give improper access to data. According to Cyberpion, the highest risk exposure involved more than 30,000 cloud assets.

“Often, cybersecurity teams are unable to defend against attacks effectively because they do not have complete visibility into the assets they are connected to,” explains Nethanel Gelertner, CEO of Cyberpion. “Companies are not aware of their exposure to these external vulnerabilities and therefore cannot identify or mitigate risks. In addition, interconnected assets are continuously growing due to cloud architectures and digital transformation initiatives. All of this means that assessing and protecting attack surfaces has become even more challenging.”

What is EASM?

EASM is a new category of cybersecurity identified by Gartner that brings together technologies that help identify risks from Internet-connected assets and systems that organizations may not be aware of. According to the research institute, it is a concept that is growing rapidly in terms of awareness in the cybersecurity vendor community, but at a slower pace among organizations using IT solutions.

Today, much of the IT infrastructure, services, and applications used by businesses and individuals have some form of connection to the Internet and are built using third-party technology blocks that, in turn, also connect to and use solutions from other sources.

And the danger lies in the fact that these sources, to a large extent, are not under the direct control of the organizations. Even worse, a security breach at any link in this interconnected ecosystem can lead to the compromise of an entire chain. Gartner calls this highly exposed ecosystem the “outer attack surface”.

The new EASM category refers precisely to processes, technologies, and services capable of identifying those external IT assets that may present vulnerabilities, complementing other tools already in use, such as those for attack simulation and cloud security posture management.

In Gartner’s view, EASM solutions should offer five key capabilities:

  • Monitoring – To continuously check various external environments, such as cloud services and infrastructures in some way connected to the outside world) and distributed ecosystems, such as IoT systems;
  • Asset identification – To discover and map external assets and systems unknown to the organization;
  • Analysis – To assess asset attributes and determine whether they present risks, vulnerabilities, or anomalous behavior;
  • Prioritization – To prioritize risks and vulnerabilities and issue alerts based on prioritization analyses;
  • Remediation – To provide threat mitigation plans and remediation workflows or integration with other solutions such as ticketing systems and incident response tools.

According to Gartner, the EASM market is still emerging and counts a relatively small number of vendors, as do the use cases.