Only 29% of organizations believe they have sufficient visibility into their attack surface. That’s why, in our new Practical Guide to Reducing Digital Risk, we outline ways to manage and reduce the attack surface and how, by taking an outside-in perspective of the attacker, organizations can identify these untracked IT investments and significantly reduce the attack opportunities presented to an adversary.
Equifax lessons learned
The Equifax breach, which exposed over 140 million customer records, is a good example of why it’s important to get this right. Equifax reported that this breach occurred through an unpatched web application that was vulnerable to an exploit in the Apache Struts framework (CVE-2017-5638). This vulnerability had patches available for two months, and evidence of the exploitation of this weakness was widely known as many attackers had already been observed to have exploited this weakness in campaigns.
Part of the challenge for Equifax (and many other organizations) is knowing what assets exist in the IT estate in the first place. While Equifax may be an extreme example, all companies’ IT departments are playing a constant game of catch-up with their changing organizations and rarely have a complete view of what they are responsible for protecting. Shadow IT has become a very real problem for businesses globally as they grow, merge, and adapt their infrastructures. Even those that have an effective vulnerability management program experience challenges prioritizing the range of work without disrupting IT operations.
Top four types of attack surface risks
When we consider an organization’s internet-facing infrastructure, there are four main aspects of an attack surface to consider.
Digital Shadows SearchLight’s passive data collection has no impact on your network. By aggregating data from open sources, SearchLight gains a broader picture of your network over time. This enables you to prioritize securing your network assets that are most at risk from compromise and exploitation. We provide high priority alerts that relate to genuine threats to your network infrastructure, not a deluge of CVEs (Common Vulnerabilities and Exposures).
Free tools to get started
While nearly 60% of organizations still have no set schedule to address vulnerabilities or do not do vulnerability scans, tools are available for those who wish to start reducing their attack surface. These include:
Source: Digital Shadows