CyberWire Daily - Enabling connectivity enables exposures. [Research Saturday]
Episode Date: July 17, 2021Guest Nathan Howe, Vice President of Emerging Technology at Zscaler, joins Dave to discuss his team's work, "2021 “Exposed” Report Reveals Corporate and Cloud Infrastructures More at Risk Than Eve...r From Expanded Attack Surfaces." The modern workforce has resulted in an increase of users, devices, and applications existing outside of controlled networks, including corporate networks, the business emphasis on the “network” has decreased and the reliance on the internet as the connective tissue for businesses has increased. Zscaler analyzes the attack surface of 1,500 organizations and identifies trends affecting businesses of all sizes and industries, across all geographies. Key findings include: The attack surface impact based on company size The countries with the greatest attack surface The industries that are most exposed The research can be found here: “Exposed”: The world’s first report to reveal how exposed corporate networks really are. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
So the tool itself basically collects open source intelligence off the internet
and puts together that in a way that is, with a bit of a risk rating,
easy for the customers to see where they have some exposures.
That's Nathan Howe. He's Vice President of Emerging Technology at Zscaler.
The research we're discussing today is titled Exposed.
It looks at the risks corporate and cloud infrastructures face from expanded attack surfaces.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever
with AI tools. It's time to rethink your security. Zscaler Zero Trust plus AI stops attackers by
hiding your attack surface, making apps and IPs invisible, eliminating lateral movement,
connecting users only to specific apps, not the entire network. Continuously verifying every request based on identity and context.
Simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI. Learn more at
zscaler.com slash security.
Importantly for the security professionals amongst us, this is only data collection and
only visibility. It is not a penetration test. It is not sending any packets to any
destination service. And what we're looking for is basically open listeners,
anything the customers may have out there. So we pull information from other sources
to be able to provide that visibility. And that gives us a snapshot
at that time as to what their customer is running on their
infrastructure, exposed to the open internet.
And when I say exposed, it means anybody, not just us,
but anybody can see these services running on the internet.
Well, so in general, what did you find here?
Is there broad exposure?
It's substantial.
And both of this is interesting, but also not surprising at the same time.
If you think about the idea in which industries have tried to deploy infrastructure to enable connectivity, they're either enabling connectivity for the consumers.
So obviously you need to have a website. So those sort of things are somewhat accepted and expected.
But then also, as we've gone through the last, especially the last 20 months or so, where we've had an increase of work from home, people needed to provide or have more connectivity to their enterprises.
So companies have delivered more and more mechanisms to connect people
who were once not really remote workers into remote working
and therefore had to stand up equipment or infrastructure to enable this.
So we have seen a substantial uptick of remote access services,
whether it be VPNs or remote desktops
and those sort of things. Well, let's go through some of the findings here together. I mean,
what were some of the key things that you all found in the research?
Yeah, a couple of really interesting things that really stood out. One is just the sheer amount of
cloud services, as in AWS, Azure, hyperscale, the hype services that enterprises are utilizing. And that's not really
a surprise if you think about the commoditization of IT and especially how
a large majority of companies out there really are not IT experts. So they're looking for
a service. They pay for a service, get it online as quickly as possible. And
those cloud services are providing the path of least resistance. So that's
not a surprise. I mentioned before the path of least resistance. So that's not a surprise.
Mentioned before the number of remote access services. We see a lot of those
specifically in relation to VPNs, remote access desktops and those things, but also those seem to be in parallel to the level of attacks we've seen from the likes of the report from CSAIL back
in October talking about the top 25 attack vectors for nation-state actors
and the top nine were remote access services.
So there's a correlation there of, well, more people working from home,
more open gateways, more exposure.
Yeah, one of the things that caught my eye here was you tracked attack surfaces
relative to the size of a particular company
and got some interesting results here.
Can you share with us what you found there?
Yeah.
I mean, I don't think it goes by any surprise to anybody here that a large company has more
IT and therefore more infrastructure on the internet, which is thus possibly available
for attack for people.
That's why we term it the attack surface.
But what's interesting is that the larger a company is, the more they tend to have and the reasons why.
Now, I'm not going to draw any concrete reasons behind this.
But when I've spoken to my customers, it's generally because a large company tends to be diverse.
And they may not have the governance to be able to control all entities that are standing up infrastructure.
up infrastructure. We have seen that some organizations are actually banning the use of credit card payments through finance
to services like AWS and Azure to stymie or to stop
people in the company just going and buying a resource without going
through the appropriate change procedures. But also we've seen it with customers
who needed to go and deliver something very quickly. So we see
that kind of speed that happens in the larger industries
tends to be slowed down by change process.
So they go outside the process and go and hire a third-party developer
to spin up something.
So that's why we see that enterprises in the larger space
have this larger attack surface.
And also they have less reliance, or more reliance on IT
than the smaller companies who have perhaps less reliance on IT.
Yeah, that's fascinating.
And so, I mean, do the larger companies then, as I would expect, have greater resources to help protect themselves as well?
One would hope.
There is definitely a shortage of IT security professionals in the industry.
And we all know that and have seen that.
So I guess that's also one reason why perhaps we're seeing more of this exposure,
but clearly we'd like to see the larger organizations taking more responsibility
for these things. And perhaps they are for core services. What tends to be the case is the idea
of technical debt, things that get left behind or forgotten about and perhaps overlooked. And
those in themselves, I can speak from personal experience in my life.
In my previous job when I used to work at Nestle,
we saw this all the time.
There was somebody who'd moved on
and we'd forgotten about their infrastructure they ran.
So it's the size of a company obviously is challenging,
but also then that shortage of IT security professionals.
And I guess the commoditization
that anyone can spin up an IT service nowadays
in the cloud with a credit card makes it challenging for enterprises to control.
Yeah, that is interesting.
That whole notion of having almost, I mean, I can imagine an organization
having someone whose responsibility is to kind of root out those forgotten things
that have been spun up, like you say.
But it's so easy to overlook that.
Absolutely.
And actually, interestingly enough,
I had a customer last week
who mentioned to me very concretely,
I know more about the internet
than I know about my internal network.
And that's fascinating.
But then when they doubled down on that,
they explained that they know where YouTube is.
It's advertised.
They can look it up and find out where the servers are.
They know where Facebook is.
They know how to proxy that information if they want to put it through a security gateway.
But their internal network, because it's just years and years and years of lack of inventory
or of technical debt, there's so many things that are unknown.
And there's so many parts of the infrastructure that work together in a way that have not
been documented.
So they're afraid to turn something off
because who knows what the impact will be.
So it's kind of the mindset of it's running, let it be,
rather than go and figure out what it is.
Yeah.
Right, right.
Yeah, you hear, you see those sort of maybe apocryphal stories
about people going through code
and they find code that's
commented that says, we have no idea what this does, but we're afraid to take it out.
Exactly. It's no different for corporate infrastructure either.
Right, right. Well, another area that you all dug into here was looking specifically at different
geographies. Can you take us through what you found there and what that means?
Yeah. And that's actually a fun one. I've discussed a few times with my colleagues.
So the primary, the largest region, like geographical region that we found with the
most numbers of exposed services was the European and Middle East and Africa, so EMEA. And when we
looked at this, we couldn't really draw any one reason behind this. But it actually was a colleague of mine.
So I'm an Australian who lives in Germany.
And I have a French colleague who pointed this out to me and said, well, Europe is diverse.
There's the French team.
There's the German team.
There's the Austrian team.
There's the Swedish team.
And we all do things differently.
And I thought about that.
And I'm not saying that's the correlative point, but it could be one of the causes that
Waimea has such a higher number compared to the APJ or American regions.
It could also be that there is more of a security focus in parts of the world like in the Americas.
And also that APJ is perhaps one of the areas where we perform maybe less scans and haven't got the right number to kind of equalize the base vision there. But I do enjoy the idea of thinking about that EMEA probably has a diversity
of organizations and different teams and different ways of working,
which is the charm of Europe, of course,
but also then clearly could be a security risk as well.
Yeah, that's fascinating that perhaps there's a, I don't know,
an additional translation layer at play there that could either slow things down or be an impediment.
Absolutely. I mean, writing an application for the German market
isn't going to translate into the French one, even though it's 100 kilometers
away from each other in certain parts of the countries, right? So the geography
does actually play into it, and you have to consider how you're going to get the people to consume those
applications at the same time, host them, and maybe do you do them differently for different regions.
So, yeah, that is certainly a challenge I'm sure that most of the big enterprises have to face.
Yeah.
Another thing that you all dug into here was looking at attack services industry by industry and some interesting data you gathered here.
What caught your eye?
Two main ones that I think are actually really interesting, and they certainly have the highest
numbers if you look at them from an overall scale. But telecommunications industry had the highest
level of high-risk vulnerabilities or high-risk services online. And that's not really a surprise
given that telecommunications companies need to provide
backwards-compatible functionality for all sorts of technology out there, whether it
be someone running an old version of a web browser or whether it be some old version
of a mail client that they have to support for some contractual obligation they have
as a managed service provider.
I don't know.
Any of these things certainly pop up as challenges
for telecommunications providers.
But the other industry that really took me back
was actually when I saw that the food service,
the hospitality industry, was one of the largest
that had exposed services online.
And it's specifically around the public cloud.
And again, this comes back to the point I mentioned a bit earlier, Dave,
was we have infrastructure that,
or we have companies that are not IT specialists.
They need to get infrastructure or service running.
And specifically within the last 18 months or so
with the pandemic,
companies that had to adapt from being face-to-face service
to now I need to scan a QR code
to be able to transact with you
to then send you the food.
They've had to rethink the way in which they've done that.
So there's no doubt being a creation and establishment
of new infrastructure, most likely in cloud providers.
In addition, like I look at that from my background from Nestle
and they're a food service company.
They're just going to go and get food made.
IT is kind of a service, much like water or electricity.
It's part of the product, but it's not the key product.
And so it's not as the biggest focal point
as it would be for an IT security company
or IT professional company.
So those are two of the most interesting sets of results
that came out of this scan.
Yeah, it's really striking looking through
some of the charts and graphs
that you include in the report that, you know, in many of them,
things sort of move along and you see, oh, some different verticals
have different numbers, but then you get to restaurant bars and food services
and it's like, kabam.
I mean, it is stark how much they stand out compared to other industries.
Yeah.
I mean, two things for me, as I said, is that the pandemic moved them into being kind of either you become digitized or you die, unfortunately.
I think maybe that's a bit harsh to say, but if you think about it with the need of social distancing and certainly lockdowns in certain parts of the world, that made a lot of sense to be able to get technology online
and operative for them.
And the second part is, as I said,
they're not security-focused specialists.
They just want to have a function.
So it doesn't surprise me to see those things spiraling up,
but without the thought of,
I need to lock this down, restrict access, et cetera, et cetera.
Well, so what are the takeaways from this report?
When you look at all the information that you gathered here,
what are the takeaways from this report? When you look at all the information that you gathered here, what are the lessons learned?
I think the key thing is visibility allows everyone, allows you to be informed and being informed allows you to take action.
And a lot of our companies and customers we've worked with here who we've performed the scans with, we're not aware of these things.
So awareness starts with visibility, of course, and then they need to move into taking action to be decisive about that. So I'd say, number one,
really, we need to be aware of what's going on. Second thing is we need to consider the way in
which we're going to move forward. And if you go back to the phrasing of zero trust and all
the funky buzziness around that, the thing I like to call it the most around that is
it's about providing access to only those who are authorized to get access. Everything else is dark,
it's gone, it shouldn't be there. But to get to that point and understanding who should get access
to what, we need to look at what these enterprises have. So take the visibility, understand what you
have, and then ask the question, does the entirety of the internet need access to this
service? If the answer is no, then you already have a good path forward to go and segment that off,
protect it, isolate it, move it behind a different control set. If the answer is yes, of course,
you have to address with different sets of controls. But that segmentation and understanding
that you should not have all these services available to the entirety of the internet
is a pretty big step forward.
So I think those two things are critical.
Visibility, then segmentation, isolation.
And the third is, as I said, take action and remove, utilize platforms, foundations like Zero Trust
to remove access, remove that attack surface.
That would be my three main steps to call out.
When you're working with the folks that you work with,
with your customers, I mean, is there,
do they know what they don't know?
Is there an awareness that they have these sorts of exposures
or is that a bit of an eye-opener for them?
There's no real black and white answer to that, Dave.
I think there's a bit of everybody and in between.
Yeah.
Yeah, and it's, again, it depends on how mature they are as an organization and their security
landscape.
We see everything in between.
And I think the key thing here about all of this is not to point a finger at somebody
and say, you've done something wrong because nobody's put a service on the internet maliciously.
I mean, not really.
That's never really going to happen.
What is happening is someone's putting the service on the internet to empower the business. And they probably don't
understand the implications of that. So when we do point this out to them, and we do have that
conversation with them, it's about understanding that it's a visible point. You're seeing a
snapshot in time. No one's done anything wrong, but let's take this and let's try and find a path
to make things better. Not say you've done something wrong or you don't have visibility or you should have seen this and you didn't.
It's very ignorant of you.
No, no, no.
It's really to say, be aware.
So you have that intelligence so you can go and make those decisions, whatever that decision may be for your business.
Our thanks to Nathan Howe from Zscaler for joining us. The report is titled Exposed. We'll have a link in the show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your
company safe and compliant. The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Justin Sabe, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.