A joint research by cyber risk management firm RiskRecon and the cybersecurity research firm Cyentia Institute revealed that a large number of organizations leave their unsecure network services open online, exposing their critical data to risks. According to the research, “Third-Party Security Signals: Exposing the reality of unsafe network services,” nearly 33% of enterprises in the digital supply chain expose unsafe network services like data storage, remote access, and network administration to the internet.
Key Findings
- Within the top three unsafe network services, data stores, such as S3 buckets and MySQL databases are the most exposed.
- Remote access is the second most exposed service; admins should consider restricting the accessibility of these services only to authorized and internal users.
- Universities are woefully exposed. With a culture that boasts open access to information and collaboration, the education sector has the greatest tendency to expose unsafe network services on non-student systems, with 51.9% of universities running unsafe services.
- Global regions lack proper security posture. Countries such as the Ukraine, Indonesia, Bulgaria, Mexico and Poland confirm the highest rate of domestically hosted systems running unsafe services.
- Beware of ElasticSearch and MongoDB. Firms that expose these services to the internet have a 4x to 5x higher rate of severe security findings than those who do not run on internet-facing hosts.
- Unsafe services uncover other security issues. Failing to patch software and implement web encryption are two of the most prevalent security findings associated with unsafe services.
The findings are based on the evaluation of millions of internet-facing systems across 40,000 commercial and public institutions. Cyentia and RiskRecon analyzed the data in two strategic ways: the direct proportion of internet-facing hosts running unsafe services and the number of organizations exposing unsafe services somewhere across their infrastructure.
Kelly White, CEO and co-founder at RiskRecon said, “Blocking internet access to unsafe network services is one of the most basic security hygiene practices. The fact that one-third of companies in the digital supply chain are failing at one of the most basic cybersecurity practices should serve as a wakeup call to executives and third-party risk management teams. We have a long way to go in hardening the infrastructure that we all depend on to safely operate our businesses and protect consumer data. Risk managers will be well served to leverage objective data to better understand and act on their third-party risk.”
Jay Jacobs, partner and Co-founder, Cyentia Institute, said, “Similar to how medical doctors diagnose illnesses through various outward signs exhibited by their patients, third-party risk programs can perform quick, reliable diagnostics to identify underlying cybersecurity ailments. Not only is the presence of unsafe network services a problem, but the data we examine in this report also shows that they are a symptom of broader problems. Easy, reliable risk like this offers a rare quick win for risk assessments.”