Despite their domain expertise, many cybersecurity vendors are just as vulnerable to cyber-borne threats as the customers whose technologies are designed to protect them.
Israel-based security firm Reposify recently used its offshore attack surface management platform to examine offshore assets and networks of 35 major cybersecurity suppliers and more than 350 of their subsidiaries over a two-week period. Reposify’s 24/7 internet checks – like those performed by other vendors in the space – are designed to help organizations understand their attack surface and exposure so they can enhance or implement new controls when needed.
Reposify focused on externally facing infrastructure, applications, and user profiles, says Yaron Tal, founder and CTO of Reposify. This included everything from databases hosted on the cloud; remotely accessed websites; web-facing applications; Internal network assets, such as port maps, routers, switches, web servers, storage, and backups; and development tools, he says.
The company’s surveys have shown that a high percentage of cybersecurity vendors are seriously vulnerable to many of the same threats they are supposed to help protect against. Nearly nine in 10 (86%) of the cybersecurity companies analyzed had at least one sensitive remote access service exposed to the Internet, and 80% had exposed network assets. 63 percent of vendors have office networks that are directly accessible online, just over half (51 percent) have at least one exposed database, and 40 percent have disclosed development tools.
Reposify has found that like organizations in other industries, nearly all cybersecurity vendors are at high risk of data loss and compromise of poorly protected data on public cloud services. About 97% – in other words, almost – of all cybersecurity vendors examined by Reposify over a two-week period had exposed data assets on Amazon Web Services (AWS) and other cloud infrastructure. About 42% of those assets could be classified as either high risk or critical, Reposify said.
“Only one of those stats is worrying enough,” Tal says. “But the consolidation points to an urgent need for the industry to better practice what it advocates,” he says.
Tal says the results are consistent across the financial, pharmaceutical and gaming sectors. Similar surveys conducted by Reposify for companies in the pharmaceutical sector showed that 92% of them had exposed databases, while 55% of organizations working in the gaming industry and 23% in the finance sector had the same problem. He notes that what is different about cybersecurity companies is that they must know the risks of exposed assets on the Internet.
Richard Steinon, senior research analyst at IT-Harvest, says he’s not surprised that security vendors align with the organization’s average in the number of exposed assets. “Like any organization, security service vendors are driven to grow and increase revenue,” he says.
Their technical prowess is focused on innovation and protecting their customers. Like any company, their Homeland Security personnel are secondary to the necessary IT infrastructure and support for their operations. “They hire many CISOs who are just extensions of sales and marketing and don’t really have a security staff,” Stiennon says.
Expand your digital footprint
A large part of the problem has to do with the fact that organizations – including cybersecurity companies – have a large number of assets that they simply do not know about and therefore do not protect. This can include assets such as sensitive data, devices, and other digital components that support information or communications-related activities, Tal says.
Trends such as adoption of the cloud, the move to hybrid workplaces, and an increasing reliance on third-party vendors for IT and other services have dramatically expanded the digital footprint, and have resulted in a lot of data and devices on which security cannot be seen.
“Assets exist within the informal perimeter such as IT related shadow services, pop-up cloud instances, [and] Cloud instances are online for an abnormally long time without corporate domains attached.” He says. Also risks are staging and testing environments, forgotten databases, development tools, and network assets that the IT security team is not aware of.
About 91% of the exposed web servers in cybersecurity vendor environments were either Nginx or Apache, according to Reposify data. Eighty-eight percent of exposed web servers are accessible via OpenSSH. Other commonly exposed remote access protocols included telnet (33%) and SMB services (30%). Nearly three-quarters (72%) of cybersecurity vendor databases that Reposify found exposed during online surveys were PostgreSQL databases, followed by Oracledb at 50%, MySQL (28%), and Microsoft SQL (21%).
Reposify’s results are not designed to blame cybersecurity vendors for poor security practices, Tal says. It aims to illustrate the fact that no one is immune to the risks of exposed Internet assets.
“It is easy to assume that cybersecurity companies will be the most secure against modern cyber threats, but even experts are vulnerable to blind spots created by expanding digital footprints,” he notes.