For all their expertise in the field, many cybersecurity vendors are as dangerously exposed to Internet-borne threats as the customers their technologies are designed to protect.
Israel-based security provider Reposify recently used its external attack surface management platform to analyze the external assets and networks of 35 leading cybersecurity vendors and over 350 of their affiliates over a two-year period. weeks. Reposify’s 24/7 web analytics, like those of other industry vendors, are designed to help organizations understand their attack surface and exposure so they can harden or implement new checks if necessary.
Reposify focused on infrastructure, applications, and external user profiles, says Yaron Tal, Founder and CTO of Reposify. This included everything from databases hosted in the cloud; remotely accessible sites; web apps; internal network assets, such as portmappers, routers, switches, web servers, storage and backup; and development tools, he says.
The company’s analytics have shown that a high percentage of cybersecurity vendors are dangerously exposed to many of the same threats they are supposed to help protect against. Nearly nine out of 10 cybersecurity companies analyzed (86%) had at least one sensitive remote access service exposed to the Internet, and 80% had network assets exposed. Sixty-three percent of vendors had back-office networks directly accessible through the Internet, just over half (51%) had at least one database exposed, and 40% had developer tools exposed.
Reposify found that, like organizations in other industries, almost all cybersecurity vendors are at significant risk of data loss and compromise due to poorly protected data on public cloud services. Some 97% – in other words, almost all – of the cybersecurity vendors analyzed by Reposify during the two-week period had exposed data assets on Amazon Web Services (AWS) and other cloud infrastructure. Some 42% of those assets could be classified as high or critical risk, Reposify said.
“Only one of these stats is concerning enough,” says Tal. “But the combination indicates a sincere need for the industry to better practice what it preaches,” he says.
Tal says the results are consistent across the financial, pharmaceutical and gaming sectors. Similar analyzes carried out by Reposify with companies in the pharmaceutical sector showed that 92% of them had exposed databases, while 55% of organizations in the gaming industry and 23% in the financial sector had the same problem. What’s different with cybersecurity companies is that they need to know the dangers of exposed assets on the Internet, he notes.
Richard Stiennon, chief research analyst at IT-Harvest, says he’s not surprised that security vendors are lining up with the average company in the number of exposed assets. “Like any organization, security vendors are driven to grow and grow revenue,” he says.
Their technical prowess is focused on innovation and protecting their customers. Like any business, their internal security personnel are secondary to the IT infrastructure and support needed for their operations. “Many employ CISOs who are just extensions of sales and marketing and don’t actually have security personnel,” Stiennon says.
Extend the digital footprint
A big part of the problem is that organizations, including cybersecurity companies, have a lot of assets that they simply don’t know about and therefore don’t protect. This can include assets such as sensitive data, devices, and other digital components that support information or communication-related activities, Tal explains.
Trends such as cloud adoption, the shift to hybrid workplaces, and the growing reliance on third-party vendors for IT and other services have dramatically expanded the digital footprint and driven a lot of data and devices where security has no visibility.
“Inside the unofficial perimeter are assets such as shadow computing related services, pop cloud instances, [and] abnormally long online cloud instances with no corporate domains attached,” he says. Testing and staging environments, as well as forgotten databases, development tools, and network assets that the IT security team is unaware of, also present a risk.
According to data from Reposify, some 91% of web servers exposed in cybersecurity vendor environments were Nginx or Apache. Eighty-eight percent of exposed web servers were accessible via OpenSSH. Other commonly exposed remote access protocols included telnet (33%) and SMB services (30%). Almost three-quarters (72%) of cybersecurity vendor databases Reposify found exposed during its internet scans were PostgreSQL databases, followed by Oracledb with 50%, MySQL (28%), and Microsoft SQL (21%). %).
Reposify’s findings aren’t designed to blame cybersecurity vendors for poor security practices, Tal says. They are intended to illustrate that no one is immune to the risks associated with assets exposed on the Internet.
“It’s easy to assume that cybersecurity firms would be the safest against modern cyberthreats, but even experts are sensitive to the blind spots created by expanding digital footprints,” he notes.