Enabling connectivity enables exposures.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Nathan Howe: So, the tool itself basically collects open-source intelligence off the Internet and puts together that in a way that is with a bit of a risk rating, easy for the customers to see where they have some exposures.
Dave Bittner: That's Nathan Howe. He's Vice President of Emerging Technology at Zscaler. The research we're discussing today is titled, "Exposed." It looks at the risks corporate and cloud infrastructures face from expanded attack services.
Nathan Howe: Importantly for the security professionals amongst us, this is only data collection and only visibility. It is not a penetration test. It is not sending any packets to any destination service. And what we're looking for is basically open listeners, anything the customers may have out there. So, we pull information from other sources to be able to provide that visibility. And that gives us a snapshot at that time as to what their customer is running on their on their infrastructure exposed to the open Internet. And when I say exposed, it means anybody – not just us – but anybody can see these services running on the Internet.
Dave Bittner: Well, so, in general, what did you find here? Is there broad exposure?
Nathan Howe: It's substantial. And both of this is – it's interesting, but also not surprising at the same time. If you think about the idea in which industries have tried to deploy infrastructure to enable connectivity, they're either enabling connectivity for the consumers, so obviously you need to have a website. So those sort of things are somewhat accepted and expected. But then also, as we've gone through the last – especially the last twenty months or so where we've had an increase of work from home, people needed to provide or have more connectivity to their enterprises. So companies have delivered more and more mechanisms to connect people who were once not really remote workers into remote working, and therefore, have had to stand up equipment or infrastructure to enable that. So we have seen a substantial uptick of remote access services, whether it be VPNs or remote desktops, and those sort of things.
Dave Bittner: Well, let's go through some of the findings here together. I mean, what were some of the key things that you all found in the research?
Nathan Howe: Yeah, a couple of really interesting things that really stood out. One is just the sheer amount of cloud services – as in AWS, Azure, hyperscale-type services – that enterprises are utilizing. And that's not really a surprise if you think about the commoditization of IT, and especially how a large majority of companies out there really are not IT experts, so they're looking for a service. They pay for a service to get it online as quickly as possible, and those cloud services are providing the path of least resistance. So that's not a surprise.
Nathan Howe: I mentioned before the number of remote access services. We see a lot of those specifically in relation to VPNs, remote access desktops, and those thing, but also, those seem to be in parallel to the level of attacks we've seen, from the likes of the report from CISA back in October, talking about the top twenty-five attack vectors for nation-state actors, and the top nine were remote access services. So there's a correlation there of, well, more people working from home, more open gateways, more exposure.
Dave Bittner: Yeah, one of the things that caught my eye here was you tracked attack surfaces relative to the size of a particular company and got some interesting results here. Can you share with us what you found there?
Nathan Howe: Yeah. I mean, I don't think it goes by any surprise to anybody here that a large company has more IT and therefore more infrastructure on the Internet, which is thus possibly available for attack for people – that's why we term it the "attack surface." But what's interesting is that the larger a company is, the more they tend to have, and the reasons why. Now, I'm not going to draw any concrete reasons behind this, but when I've spoken to my customers, it's generally because it's been – a large company tends to be diverse, and they may not have the governance to be able to control all entities that are standing up infrastructure. We have seen that some organizations are actually banning the use of credit card payments through finance to services like AWS and Azure to stymie these, like, people in the company just going and buying a resource without going through the appropriate change procedures.
Nathan Howe: But also we've seen it with customers who needed to go and deliver something very quickly. So we see that kind of speed that happens in larger industries tends to be slowed down by change process, so they go outside the process and go and hire a third-party developer to spin up something. So that's why we see that enterprises in the larger space have to have this larger attack surface, and also they have more reliance on IT than the smaller companies who have perhaps less reliance on IT.
Dave Bittner: Yeah, it's fascinating. And so, I mean, do the larger companies then – as I would expect – you know, have greater resources to help protect themselves as well?
Nathan Howe: One would hope. There is definitely a shortage of IT security professionals in the industry, and we all know that and we've seen that. So I guess that's also one reason why perhaps we're seeing more of this exposure. But clearly, we'd like to see the larger organizations taking more responsibility for these things, and perhaps they are for core services. What tends to be the case is the idea of technical debt – things that get left behind or forgotten about and perhaps overlooked. And those in themselves, I can speak from personal experience in my life. In my previous job, when I used to work at Nestlé, we saw this all the time. There was somebody who'd moved on and we'd forgotten about their infrastructure they ran. So, it's the size of a company – obviously is challenging – but also then that shortage of IT security professionals. And I guess the commoditization that anyone can spin up an IT service nowadays in the cloud with a credit card makes it challenging for enterprises to control.
Dave Bittner: Yeah, that is interesting – that whole notion of, you know, almost – I mean, I can imagine an organization having someone whose responsibility is to kind of root out those forgotten things that have been spun up, like you say, you know, but it's so easy to overlook that.
Nathan Howe: Absolutely. And actually, interestingly enough, I had a customer last week who mentioned to me very concretely, "I know more about the Internet than I know about my internal network." And that's fascinating. But then when they doubled down on that, they explain that they know where YouTube is. It's advertised. They can look it up and find out where the servers are. They know where Facebook is. They know how to proxy that information if they want to put it through a security gateway. But their internal network, because it's just years and years and years of lack of inventory, of technical debt, there's so many things that are unknown, and there's so many parts of infrastructure that work together in a way that have not been documented. So they're afraid to turn something off because who knows what the impact will be? So it's kind of the mindset of, it's running, let it be, rather than go and figure out what it is.
Dave Bittner: Yeah, right, right. (Laughs) Yeah, you see those sort of maybe apocryphal stories about people going through code and they find code that's commented that says, we have no idea what this does, but we're afraid to take it out. (Laughs)
Nathan Howe: (Laughs) Exactly. It's no different for corporate infrastructure either.
Dave Bittner: Right, right. Well, another area that you all dug into here was looking specifically at different geographies. Can you take us through what you found there and what that means?
Nathan Howe: Yeah, and that's actually a fun one I have discussed a few times with my colleagues. So the primary, the largest regional geography or geographical region that we found with the most numbers of exposed services was the European, the Middle East, and Africa – EMEA. And when we looked at this, we couldn't really draw any one reason behind this. But it actually was a colleague of mine – so, I'm an Australian who lives in Germany and I have a French colleague who pointed this out to me and said, well, Europe is diverse. There's the French team, there's the German team, there's the Austrian team, there's the Swedish team, and we all do things differently. And I thought about that and that – I'm not saying that's the correlative point, but it could be one of the causes why EMEA has such a higher number compared to the APJ or American regions.
Nathan Howe: It could also be that there is a more of a security focus in parts of the world, like in the Americans, and also that APJ is perhaps one of the areas where we perform maybe less scans and haven't got the right number out to kind of equalize the base of vision there. But I do enjoy the idea of thinking about EMEA probably has a diversity of organizations and different teams, different ways of working, which is the charm of Europe, of course, but also then clearly could be a security risk as well.
Dave Bittner: Yeah, that's fascinating that perhaps there's a – I don't know, an additional translation layer at play there that could either slow things down or be an impediment.
Nathan Howe: Absolutely. I mean, running an application for the German market isn't going to translate into the French one, even though it's a hundred kilometers away from each other in certain parts of the countries. So, the geography does actually play into it. And you have to consider how are you going to get the people to consume those applications at the same time, host them, and maybe do you do them differently for different regions? So, yeah, that is certainly a challenge I'm sure that most of the big enterprises have to face.
Dave Bittner: Yeah. Another thing that you all dug into here was looking at attack surfaces industry-by-industry, and some interesting data you gathered here. What caught your eye?
Nathan Howe: Two main ones that I think are actually really interesting, and they certainly have the highest numbers if you look at them from an overall scale. But telecommunications had the highest – the telecommunication industry had the highest level of high-risk vulnerabilities or high-risk services online. That's not really a surprise, given that telecommunications companies need to provide backwards-compatible functionality for all sorts of technology out there, whether it be someone running an old version of a Web browser or whether it be some old version of a mail client that they have to support for some contractual obligation they have as a managed service provider. I don't know. Any of these things certainly pop up as challenges for telecommunications providers.
Nathan Howe: But the other industry that really took me back was actually when I saw that the food service, the hospitality industry, was one of the largest that had exposed services online, and specifically around the public cloud. And again, this comes back to the point I mentioned a bit earlier, Dave, was we have infrastructure – or we have companies that are not IT specialists. They need to get infrastructure and service running. And specifically within the last 18 months or so with the pandemic, companies that had to adapt from being face-to-face service to now I need to scan a QR code to be able to transact with you to then send you the food – they've had to rethink the way in which they've done that. So there's no doubt been a creation and establishment of new infrastructure, most likely in cloud providers.
Nathan Howe: In addition, like, I look at that from my background from Nestlé and there a food service company – they're just going to go and get food made. IT is part of – it's kind of a service, much like water or electricity. It's part of the product, but it's not the key product. And so it's not as big a focal point as it would be for an IT security company or IT professional company. So those are two of the most interesting sets of results that came out of the scan.
Dave Bittner: Yeah, it's really striking looking through some of the charts and graphs that you included in the report. That, you know, in many of them, things sort of move along and you see some different verticals have different numbers, but then you get to restaurant, bars, and food services and it's like, kabam! I mean, it is stark how much they stand out compared to other industries.
Nathan Howe: Yeah. I mean, two things for me, as I said, is the pandemic's moved them into being kind of – either you become digitized or you die, unfortunately. I think maybe that's a bit harsh to say, but if you think about it, with the need of social distancing and certainly lockdowns in certain parts of the world, that made a lot of sense to be able to get technology online and operating for them. And the second part is, as I said, they're not security-focused specialists. They just want to have a function. So it doesn't surprise me to see those things spiraling up, but without the thought of, I need to lock this down, restrict access, et cetera, et cetera.
Dave Bittner: Well, so what are the takeaways from this report? When you look at all the information that you gathered here, what are the lessons learned?
Nathan Howe: I think the key thing is, visibility allows you to be informed, and being informed allows you take action. And a lot of our companies and customers we've worked with here who we've performed the scans with were not aware of these things. So, awareness starts with visibility, of course, and then they need to move into taking action to be decisive about that. So I'd say, number one, really we need to be aware of what's going on.
Nathan Howe: Second thing is we need to consider the way in which we are going to move forward. And if you go back to the phrasing of zero-trust and all of the funky buzziness around that, the thing I like to talk to the most around that is it's about providing access to only those who are authorized to get access. Everything else is dark. It's gone. It shouldn't be there. But to get to that point and understanding who should get access to what, we need to look at what these enterprises have. So take the visibility, understand what you have, and then ask the question, does the entirety of the Internet need access to this service? If the answer is no, then you already have a good path forward to go and segment that off, protect it, isolate it, move it behind a different control set. If the answer is yes, of course you have to address it with different sets of controls. But that segmentation and understanding that you should not have all these services available to the entirety of the Internet is a pretty big step forward.
Nathan Howe: So, I think those two things are critical – visibility then segmentation, isolation. And the third is, as I said, take action and remove utilized platforms, foundations, like zero-trust to remove access, remove that attack surface. That would be my three main steps to call out.
Dave Bittner: When you're working with the folks that you work with, with your customers, I mean, is there – do they know what they don't know? Is is there an awareness that that they have these sorts of exposures or is that a bit of an eye opener for them?
Nathan Howe: There's no real black-and-white answer to that, Dave. I think there's a bit of everybody in between.
Dave Bittner: Yeah.
Nathan Howe: And again, it depends on how mature they are as an organization in their security landscape. We see everything in between. And I think the key thing here about all of this is not to point a finger at somebody and say you've done something wrong, because nobody's put a service on the Internet maliciously. I mean, not really. That's never really going to happen. What what's happening is someone's putting the service on the Internet to empower the business, and they probably don't understand the implications of that. So when we do point this out to them and we do have that conversation with them, it's about understanding that it's a visible point. You're seeing a snapshot in time. No one's done anything wrong. But let's take this and let's try and find a path to make things better, not say you've done something wrong or you don't have visibility or you should have seen this and you didn't and it's very ignorant of you. No, no, no. It's really to say be aware, so you have that intelligence, so you can go and make those decisions, whatever decision may be for your business.
Dave Bittner: Our thanks to Nathan Howe from Zscaler for joining us. The report is titled, "Exposed." We'll have a link in the show notes.
Dave Bittner: The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.
