Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.
At different times and for different reasons, organizations leave ports (communication channels) and protocols (communication methods) exposed to the internet.
Findings proved concerning on all fronts, said ExtraHop CISO Jeff Costlow — because, whether intentional or accidental, exposures broaden an organization’s attack surface. Misconfigurations are often the most common gaps exploited by hackers because they are such an easy target.
“Some people may look at this and think, well, what’s a device or two that’s exposed to the internet?” said Costlow. “My warning is that not every, or even many, devices need to be exposed in an environment to make it a risk. It only takes one open door to let cybercriminals into your environment, where they can then move laterally and potentially launch a catastrophic attack.”
MetaBeat will bring together thought leaders to give guidance on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, CA.
Key cyberthreat findings
The findings of the report reveal that a high number of organizations had exposed database protocols, said Costlow.
These protocols enable users and software to interact with databases by inserting, updating, and retrieving information. When an exposed device is listening on a database protocol, it exposes the database and its critical and sensitive information.
The survey revealed that 24% of organizations expose tabular data streams (TDS) and 13% expose transparent network substrates (TNS) to the public internet.
Both technologies are protocols for communicating with databases, which transmit data in plaintext.
- More than 60% of organizations expose remote control protocol secure shells (SSH) to the public internet. SSH is typically used to encrypt data transferred between computers.
- 36% expose insecure file transfer protocols (FTP) which is server-to-computer network transfer.
- 41% of organizations have at least one device exposing LDAP to the public internet. Windows systems use lightweight directory access protocol (LDAP) to look up usernames in Microsoft’s Active Directory (AD), the software giant’s proprietary directory service. By default, these queries are transmitted in plaintext, Costlow explained.
“This sensitive protocol has an outsized risk factor,” he said.
Meanwhile, in many industries, server message blocks (SMB) are the most prevalent protocol exposed. SMB allows applications on a computer to read and write to files and to request services from server programs in a computer network.
- In financial services, SMB is exposed on 34 devices out of 10,000.
- In healthcare, SMB is exposed on seven devices out of 10,000.
- In state, local and education (SLED), SMB is exposed on five devices out of 10,000.
Outdated protocols: Telnet widely exposed
What “may be most alarming,” Costlow said, is the finding that 12% of organizations have at least one device exposing the Telnet protocol to the public internet.
Telnet is a protocol used for connecting to remote devices, but Costlow pointed to its antiquity — it has been deprecated since 2002.
“As a best practice, IT organizations should disable Telnet anywhere it is found on their network,” he said. “It is an old, outdated and very insecure protocol.”
Organizations should also disable the file server message block protocol (SMBv1). The application layer network protocol is commonly used on Windows to provide shared access to files and printers.
The ExtraHop study found that 31% of organizations had at least one device exposing this protocol to the public internet. Additionally, 64 out of 10,000 devices exposed this protocol to the public internet.
Costlow pointed out that SMBv1 was developed in the 1980s and was officially disabled on Microsoft’s Active Directory in April 2019. The protocol is particularly vulnerable to ExternalBlue, a serious and well-known exploit that allows hackers to gain remote access and has been used to propagate the infamous WannaCry ransomware, said Costlow. More secure and efficient versions of SMB are available today.
All told, SMBv1 and Telnet are “inherently risky,” said Costlow. “IT leaders should do everything they can to remove them from their environments.”
Improving your security posture
The impetus for the report was the Cybersecurity and Infrastructure Security Agency (CISA) issuance of a Shields Up notice in February in response to Russia’s invasion of Ukraine. This provided recommendations on new approaches to cyber defense, many of those focused on the basics of cybersecurity: passwords, patching and proper configurations, Costlow said.
“Evolving intelligence indicates that the Russian government is exploring options for potential cyberattacks,” the notice warns. “Every organization — large and small — must be prepared to respond to disruptive cyber incidents.”
The goal of the report was to provide a roadmap of “security hygiene priorities,” Costlow said.
Protocols are connected to sensitive information – passwords in plain text and AD usernames, among others. And “sadly” — not to mention carelessly — the password in AD is often simply ‘admin,’ said Costlow.
“This can make it very easy for cybercriminals to gain access to your environment, critical or sensitive information and even your intellectual property,” he said.
Oftentimes, organizations are not even aware these sensitive protocols are exposed. Such exposure could be the result of simple human error or default settings. Other times it’s a lack of security understanding from IT teams setting up their network configurations.
Across the board, organizations should assess their use of network protocols, Costlow said. By analyzing their network and device configurations and traffic patterns, they can gain a better understanding of their security risks and act to improve their cybersecurity readiness.
Costlow also recommended that organizations build and maintain an inventory of software and hardware in their environment so that defenders can track what is being used and where
Ultimately, said Costlow, “having a baseline of ‘normal’ makes it easier to spot anomalous, potentially malicious behavior.”
Read the full report for further insights.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.