author photo
By Cam Sivesind
Tue | Aug 22, 2023 | 2:49 PM PDT

CyCognito has released its semi-annual State of External Exposure Management Report, revealing a staggering number of vulnerable public cloud, mobile, and web applications exposing sensitive data, including unsecured APIs and personally identifiable information (PII). Developed by CyCognito's research division, the report is based on analysis of 3.5 million assets across its enterprise customer base, including a number of Fortune 500 companies.

Key findings from the CyCognito research include:

  • 74 percent of assets with PII are vulnerable to at least one known major exploit, and one in 10 have at least one easily exploitable issue.
  • 70 percent of web applications have severe security gaps, like lacking WAF protection or an encrypted connection like HTTPS, while 25 percent of all web applications (web apps) lacked both.
  • The typical global enterprise has over 12,000 web apps, which include APIs, SaaS applications, servers, and databases, among others. At least 30 percent of these web apps—over 3,000 assets—have at least one exploitable or high risk vulnerability. Half of these potentially vulnerable web apps are hosted in the cloud. 
  • 98 percent of web apps are potentially GDPR non-compliant due to lack of opportunity for users to opt out of cookies.  

Callie Guenther, Cyber Threat Research Senior Manager at Critical Start, offered this perspective and advice:

"Most security teams are likely aware of the risks associated with PII and the potential vulnerabilities that can expose this information. High-profile data breaches frequently make headlines, so the risks associated with PII exposure are well-publicized. However, the specific data points mentioned in the report might come as a surprise, even to seasoned security professionals. The high percentage (74%) of assets with exposed PII susceptible to known major exploits emphasizes that the problem is widespread and persistent, regardless of awareness.

The statistics mentioned underscore a clear point: PII remains highly vulnerable. If 74% of assets with PII are exposed to at least one known major exploit and 10% have an easily exploitable issue, it paints a concerning picture of the current state of external exposure management. It's essential to note that these vulnerabilities exist in the context of known exploits, suggesting that there are recognized solutions or patches that haven't been applied.

  • Regular Vulnerability Scanning and Patching: Organizations should regularly conduct vulnerability scans on their assets and systems to detect potential weaknesses. Once detected, security teams must be diligent in patching these vulnerabilities to protect PII.
  • Multi-Factor Authentication (MFA): Implement MFA wherever possible, especially for systems and platforms containing PII. This provides an additional layer of protection even if credentials get compromised.
  • Encryption: Ensure that all PII, both in transit and at rest, is encrypted. In the event of a data breach, encrypted data is much harder to exploit.
  • Least Privilege Principle: Ensure that employees and systems only have access to the PII that they absolutely need to perform their duties. This minimizes the potential exposure of PII.
  • Regular Training and Awareness Programs: Regularly educate staff about the importance of data protection, safe online behaviors, and how to recognize potential security threats such as phishing.
  • Incident Response Plan: Have a well-defined and regularly updated incident response plan in place. In the unfortunate event of a data breach, a swift and coordinated response can mitigate the impact.
  • Network Segmentation: Segment the network to ensure that if one part of the organization is compromised, it doesn't automatically grant the attacker access to PII or other sensitive areas.
  • External Assessments and Penetration Testing: Regularly engage with third-party security experts to conduct external assessments and penetration testing. This provides an outside perspective on vulnerabilities that internal teams might overlook.
  • Regular Backups: Regularly backup PII and other essential data. In the event of ransomware or other data-compromising attacks, backups can be instrumental in data recovery."

[RELATED: CyCognito will be presenting on external attack surface management at the SecureWorld Denver conference on September 19.]

XM Cyber also recently had some insights into the topic of the state of exposure management in its report titled, "Navigating the Paths of Risk: The State of Exposure Management in 2023."

Key findings from the XM Cyber report include:

  • Organizations typically have 11,000 security exposures that attackers could exploit, and some larger enterprises have more than 20 times that number!
  • On the positive side, 75% of exposed resources lead to dead ends that can't reach critical assets. Deprioritize these and focus on the exposures that have attack paths to critical assets.
  • Only 2% of exposures lie on choke points leading to critical assets. Focusing on these maximizes risk reduction while minimizing remediation workload.
  • Attackers can access 70% of critical assets in on-prem networks in just three steps. It's even worse in the cloud, where 90% of critical assets are just one hop away from initial compromise.
  • 71% of firms have exposures that enable attackers to pivot from their on-prem to cloud environment. Once there, 92% of critical assets lie just one hop away.
  • Techniques targeting credentials and permissions affect 82% organizations and constitute over 70% of all identified security exposures.
  • Seven in 10 firms are vulnerable to prominent remote code execution (RCE) vulnerabilities, but these vulnerabilities collectively exploit less than 3% of critical assets.
  • Endpoint detection and response capabilities cover fewer than half of all devices in 38% of firms.

Zur Ulianitzky, Vice President of Research at XM Cyber, said:

"Organizations can't realistically remediate all exposures in their environment. Even with today's existing prioritization tools, the lists are still too long. Moreover, they don't look at whether these exposures are on an attack path to critical assets. Unfortunately, our industry tends to over-rate everything as critical, while offering very little to help organizations determine whether a risk can be safely ignored, delayed, or otherwise deprioritized. Part of the challenge is that it's very difficult to rule out the possibility that threats and vulnerabilities can negatively impact an organization. This is where seeing the adversary's perspective through attack path analysis is extremely valuable. We're able to determine that the necessary preconditions for exploiting certain paths do not exist (and know if that changes in the future). 

We strongly recommend all organizations take a new approach to remediation efficiency by focusing on the remediation of exposures that lie on choke points, as they provide attackers with a fast track to causing significant harm to the organization. By identifying and ignoring dead ends to reduce workload, organizations can free up resources to focus on choke points for remediation. Be sure to start with the choke points that indicate a large percentage of critical assets are at risk and continue from there. At the same time, organizations must understand that this is not a one-time thing. In complex and ever-changing environments, organizations must have a continuous approach to exposure management."