Defensive Playbook: Understanding New Trends in External Risk with CyCognito’s State of External Exposure Management Report

We just published our 2024 State of External Exposure Management Report. In this report, we looked at where serious issues hide on the average attack surface, how basic protections can help (or fail to) protect critical assets, and the ways that deprioritizing issues can help security teams spend their time on the right vulnerabilities. 

Data for this report was aggregated and normalized from the external attack surfaces of our customers, primarily Fortune 500 global enterprises, along with some insights for specific industries.

Our goal is to provide guidance that can help security teams regardless of organization or size better understand their attack surfaces and software supply chains so they can more efficiently target the real risks to their organizations. Check out the full report here and read on to see some of the highlights. 

Some Key Insights 

• Web server environments, including platforms like Apache, NGINX, Microsoft IIS, and Google Web Server, were the host of one in three (34%) of all severe issues across surveyed assets. 
• 15% of all severe issues on the attack surface affect platforms using TLS or HTTP protocols. TLS issues are significant for all network-delivered data, but web apps especially so; web apps lacking encryption are currently ranked #2 of the OWASP Top 10. 
• Only half of surveyed web interfaces that handle personally identifiable information (PII) were protected by a WAF. 
• Despite HTTPS celebrating its 30th birthday this year, almost one in three (31%) of surveyed web interfaces failed to implement it. 
• More than 60% of the web interfaces that expose PII and lack HTTPS also lack a WAF. 
• Over half of ecommerce assets store or collect PII and a quarter (26%) of PII assets are unprotected by a WAF. 
• CyCognito’s enhanced asset and issue context allowed the priority level of one in three (32%) of vulnerabilities to be downgraded. 

These were some of the most impactful findings from our report, but the full report has plenty of additional insights about assets, issues, and prioritization. However, if you’re interested in the biggest lessons we learned by examining the data, we found three main takeaways.  

Looking for Critical Issues? Check the Web Servers 

Web server environments, encompassing popular platforms like Apache, NGINX, Microsoft IIS, and Google Web Server, represented a substantial portion of severe security issues—accounting for 34% of all critical vulnerabilities among all examined assets. 

Although the data processed by web servers can often be harmless, these servers frequently provide direct access to sensitive databases containing personal user information (PII) and financial data, such as payment details for online transactions, which can pose significant risks if compromised.

It’s not the first time we’ve seen dangers from Apache products. Take, for instance, the Log4J vulnerability in Apache software, which emerged as one of the most significant cybersecurity incidents in recent years. Despite the widespread awareness and urgency to identify and fix vulnerable systems, the Cybersecurity and Infrastructure Security Agency (CISA) warned that this vulnerability had become deeply ingrained in many systems. They projected that vulnerable instances would continue to surface within critical infrastructure for at least a decade, if not longer.

In our research, we discovered that instead of a decline of assets vulnerable to Log4J, some organizations experienced a significant increase in the number of vulnerable assets in the months following the disclosure of this flaw. In fact, over the last year, organizations we surveyed reported more than 260,000 critical vulnerabilities associated with Apache products, including Apache Tomcat and Apache Traffic Server.

WAFs AWOL

When we talk about the attack surface or the software supply chain, we often talk about the dangers of unknown assets, but under-managed assets can pose just as big of a risk. Security teams are aware of these assets but may not realize that they are missing basic safeguards, exposing organizations to critical risks. We took a look at a few examples of security measures that we often see neglected as examples of what security teams can look for: web application firewalls (WAFs) and a lack of encryption (like HTTPS). 

The need for HTTPS might sound like old news but we found that it’s a challenge on the modern attack surface. Failures of cryptographic protocols are serious and sadly common – the Open Worldwide Application Security Project (OWASP) currently ranks them as #2 in its Top 10. We found that 15% of all severe issues across attack surfaces we surveyed affect these platforms. 

This is a big deal. Imagine a group of 100 web interfaces belonging to your organization. We found that on average, 31 of those assets wouldn’t have implemented HTTPS. If we look just at assets that could potentially expose PII, the issues grow even more serious: only half of surveyed web interfaces that could potentially expose PII were protected by a WAF. 

This is not to say that WAFs or encrypted connections are the be-all-and-end-all of protection, but rather that organizations should be asking themselves, “if there are assets in our software supply chain that lack these basic security measures, what else are they missing?” The lack of fundamentals indicates that these potentially valuable assets remain dangerously unprotected. 

Do More By Doing Less

Many organizations base their issue prioritization solely on CVSS or EPSS scores. While this is a great starting point, provide only a basic understanding of the impact of a vulnerability and lack any specific context about the impacted environment or organization affected. Security teams can manually fill in some of this context themselves, but when an attack surface includes nearly half a million digital assets, those kinds of efforts can’t keep up. 

Additional context—such as the attractiveness of the affected asset to attackers, whether the vulnerability is currently being exploited by threat actors, and the potential to access other critical systems through exploitation—is critical, however, because it can prioritize vulnerabilities that are more likely to lead to security breaches while deprioritizing those that pose less of a threat.

CyCognito’s Enhanced Severity Score offers a more comprehensive assessment of vulnerability severity. It highlights critical issues that might be missed when relying solely on CVSS or EPSS scores and downgrades issues that, although seemingly severe, are tied to assets that are hard to locate or exploit. By downgrading these less critical issues, security teams can avoid spending time on low-priority vulnerabilities, allowing them to focus on preventing urgent external threats.

CyCognito’s enhanced context allowed the priority of 32% of vulnerabilities to be downgraded—this resulted in the deprioritization of over 235,000 issues over 12 months. This trend was consistent across all organizations surveyed. For more information on how an organization used context to accelerate their external attack surface management, check out this case study from Asklepios. 

Interested in Learning More? 

To read more about the trends we found, check out the 2024 State of External Exposure Management Report. 

To learn more about CyCognito’s platform and see it in action, explore our platform with a self-guided, interactive dashboard product tour. If you’d like to chat to an expert about external risks that might affect your organization, you can schedule a demo at https://www.cycognito.com/demo/.