In analyzing many scans (1% of the Internet), Cortex® Xpanse™ gained a lot of interesting knowledge, which is summarized in the ASM Threat Report 2022 ( sadly, you have to register to download it). It reads a bit like an advertising brochure ( well it is one) for their solution to manage the Attack Surface, but I still find some of the findings astonishing.
Cloud Continues to be a Security Nightmare
It reads as if the cloud is dangerous and unmanageable – even an invention of the dark side. Well, on the one hand, deployment in the cloud is so easy that there is more shadow IT (that’s a problem) and even inexperienced teams can quickly make applications available on the Internet. Also, perhaps the cloud applications examined were more likely to be open to the Internet and therefore easier for the scan to find?
Would the conclusion be that the cloud lowers the barrier to entry, especially for inexperienced (at least from an IT security perspective) teams, to the point that these applications and systems would not even exist without the cloud? Well, this blog is also an example of that 🤯.
In my context, I have had the realization that the offerings of hyperscalers (my experience is based on AWS and Azure) manage to make applications more secure than on-prem. The AWS Security Hub or Azure Security Center provide a good start for improvements. Scanning and monitoring are also supported by many services. In the end, you probably pay almost more for these supporting services than for running the application itself, but in my personal experience, many applications and systems would be worse monitored on-prem. That’s because many of the services needed would probably be out of reach, especially for smaller teams around self-hosting.
Unfortunately, there is a lot of information missing from the report to get a better picture. I just find the wording very distressing.
Low-Hanging Fruit Continues to Hang
Poorly secured RDP servers or publicly accessible services that should not be public (building control systems) or even unencrypted login should really no longer be on the agenda in 2022 (or 2021 as measured for this report).
In my experience MFA is fortunately slowly catching on and also Zero Trust will play a bigger role here in the future to significantly mitigate the consequences especially in case of stolen or lost credentials.
There are also good solutions for the building control systems (BCS) and operational technology (OT) mentioned above, although I would not put them in the “low-hanging fruit” category.
End-of-Life Software Means End-of-Life for Your Security
This is another point where I first shake my head and think “that’s not acceptable” and then I remember real-life situations where products were used after their end of life.
On the one hand, just the Atlassian Confluence example mentioned in the report (CVE-2021-26084) is very interesting. In terms of future reports, the more recent happenings regarding Confluence (CVE-2022-26134) are probably even more interesting. All it takes is one long weekend to panic.
For teams that can’t ensure secure operations with very short patch cycles (they say they exist), then the cloud demonized above with a SaaS solution would be better again, right?
But I agree that the world would be a better place without outdated software and that there is still a lot of unfinished work to be done here.
The Unmanaged Attack Surface Is Growing
In this section, the core advertises the authors’ product. There is a lot of numbers and diagrams thrown around. It really doesn’t read well.
I can’t confirm this tendency from my experience, but I can’t oppose it with facts and expertise either.
Persistent, Complex, but Unique
I find the distinctions of attack surface by industry very interesting.
Certainly it makes sense, as the ways of working and available COTS software stacks vary by industry. Since attackers are likely to read this report as well, I’ll try to incorporate the findings into my work in the future and pay special attention to it.
I’m glad to see that Stuxnet is also mentioned in the report 😉.
Conclusion
This may all read a bit critical, but in the end, most of the weaknesses and vulnerabilities mentioned could be avoided – if desired. Often, the pressure to suffer is probably not yet too great, or many of the systems found are too irrelevant. I actually only see my general findings on IT confirmed:
- The amount of IT security is constant or at least not growing as fast as the amount of IT systems and on average is getting smaller rather than larger. There is just too much software (please don’t look at my GitHub repository – I’m participating in that as well).
- IT is more than just providing and fulfilling business requirements once.
- IT security is not yet integrated into all solutions as security-by-design and security-by-default, and often requires too much expertise and effort to be without alternative.
In the end, the report indirectly says as much, but I think the proclaimed solution falls short – even if it is better than the ostrich tactic.
For the large amount of data collected, however, I would have liked to see a more concrete report with more figures and calculation bases.
Source:
Translated with www.DeepL.com/Translator (free version)