The rise of successful ransomware attacks in 2020 speaks volumes: Companies have either lost sight of potential gateways for online attacks, or never had a handle on them in the first place. Hackers often use information listed publicly on corporate websites to obtain insights into an organisation’s network infrastructure and use this knowledge to their advantage when delivering attacks. Attackers simply collect all the clues—which are available in the public domain—and then install malware and steal confidential data.
This year, all IT departments should set themselves a resolution: 2021 is the year to trace and minimise all attack vectors.
From a security perspective it’s a well-known fact that companies expose more information about their infrastructure online than they should. An incorrectly configured service leaves traces on the web, while poorly secured development environments virtually invite attackers in, giving them access to shared meeting calendars, media files, and even routers—which can also expose data. Worse, hardware infrastructure connected to the internet makes it incredibly easy for attackers to find out more about the infrastructure of a company. A firewall, for example, might act as a boundary between the internal and external network—but in doing so, it can unintentionally give external parties insight into the company structure by openly publicising network names or domains used in internal environments.
This kind of open-source intelligence (OSINT) on infrastructure hostnames, such as ras.company.com or vpneur.company.com, allows attackers to glean information about remote access services or VPN access in Europe. Resources with access restrictions, such as msql.company.com:1433 for live databases or connect.company.com for access portals, also allow hackers to collect information about companies online, and this information can then be used to determine potential points of entry for attack. This kind of data is freely available online—often without the affected company being aware of the risks involved. Hackers use this publicly accessible information to identify weaknesses and access points in the company network.
Companies unaware of attack vectors
There are many reasons why companies have lost sight of the potential attack surfaces hidden in plain sight within their own IT infrastructure. The exceptional circumstances of the past year have undoubtedly contributed to the fact that companies are publishing more information than necessary about their remote access infrastructure online. In 2020, companies were forced to rapidly make systems available to staff via remote access on a huge scale. But the problem cannot be attributed solely to the impact of the global health crisis; there are many other reasons why companies can easily lose sight of their IT infrastructure.
Possible dangers include employees with responsibility for maintaining network assets leaving the company, outdated infrastructure components that are forgotten about and that no one has responsibility for, or a basic lack of processes and inventories for existing network components and online services. Risks can also arise from development environments, which are frequently less secure than production environments. The fact that virtually anyone can set up a service is also a threat. If the person setting up the service is not an expert, if the work is haphazard, or if responsibilities are not clearly defined, dangerous and uncontrolled proliferation online becomes the price for simplicity. Companies must understand that any online service could be visible to anyone. This means that any internet user could come knocking on the company’s online door and—if the security solutions in place are not adequate—cross the threshold into the network completely unquestioned.
The right way to handle online expansion
Putting information in the public domain and entering into a dialogue with others about it is part and parcel of using the internet. However, all services and assets must be protected with appropriate security measures. An online shopping website needs to be accessible to users, but it should not provide unnecessary access to information such as a customer database. The first decision that companies need to make when choosing their security solution is which information they wish to make available to everyone and which data should only be available to a restricted circle of users.
The number-one priority when reducing gateways for an attack is to define security levels for different user groups. Drawing a distinction between internal and external target audiences can serve as the basic framework for categorisation. Internally, certain groups will need access to applications while the support team will need more comprehensive access rights. The administrators who manage the applications will also require enhanced rights. Access must be defined on a granular level. Externally, a distinction should be made between user scenarios involving customers or other third parties. For each user base, companies must develop a controlled security level based on granular segmentation, specific to the user group's needs. For companies, the challenge with this kind of setup lies in its complexity. Traditional segmentation techniques based on manual interaction increase the risk of errors.
The zero trust principle for automated security can be a solution to this dilemma. Based on the user's identity and access rights, the system can isolate the services and data that the user needs. This principle can be deployed in cloud-based services and applications as well as in physical networks. By isolating and segmenting at the level of individual applications, the risk of attackers who manage to get into the system and manoeuvre their way laterally across the company network is eliminated. To pursue this segmentation concept, companies first need to do their homework and fully understand how their infrastructure is exposed online.
Analysing attack gateways
All services or hardware hosted online provide a potential attack surface. Companies must obtain a full picture of what is exposed online before they can put the necessary security in place. Tools that identify this open-source intelligence and highlight where action needs to be taken can be helpful in this process.
Not everything that can be accessed online needs to be there, unsecured, and available to everyone. Only when a company understands its open attack vectors can it take action on security and establish appropriate segmentation and isolation rules for applications via a zero trust model. This will ensure that applications can only be accessed by authorised users—closing the doors to attackers.
To learn about your attack surface, contact us for a internet attack surface analysis, which queries public sources to uncover the servers, namespaces, vulnerabilities, and cloud instances that are currently visible to the open internet.
Learn how to prevent cloud misconfigurations automatically with Zscaler Cloud Security Posture Management (CSPM).
Learn how Zscaler Workload Segmentation enables zero trust security to prevent lateral movement and stop threats.
Read about the five attributes of the Zero Trust Exchange.