An ExtraHop Cyber Risk and Readiness Benchmarking report reveals the proliferation and risk of internet-exposed protocols on enterprise networks. More than 60% of companies expose the remote control protocol SSH to the public Internet and 36% of companies use the insecure FTP protocol.
ExtraHop, the leading provider of cloud-native network intelligence, today released the results of the ExtraHop Benchmarking Cyber Risk and Readiness Report showing that a significant percentage of organizations are exposing insecure or highly sensitive protocols such as SMB, SSH and Telnet to the public internet. Whether intentional or accidental, these vulnerabilities expand any organization's attack surface by giving cyber attackers easy access to the network.
Strong increase in cyber attacks
Since the Russian invasion of Ukraine, governments and security experts around the world have noticed a significant increase in cyber attacks. The Cybersecurity and Infrastructure Security Agency (CISA) and other government agencies such as ENISA, CERT-EU, ACSC and SingCERT have urged organizations to focus on strengthening their overall security defenses and start reducing the likelihood of a harmful cyberattack. One of the top recommendations from these agencies is that organizations should disable all unnecessary or insecure ports and protocols.
In the new report, ExtraHop conducted an analysis of enterprise IT environments to assess enterprise cybersecurity posture based on open ports and sensitive protocols, allowing security and IT leaders to assess their risk posture and attack surface relative to other organizations be able. The study breaks down how many vulnerable protocols are exposed to the Internet for every 10.000 devices running a given protocol.
Main results of the benchmarking
SSH is the most vulnerable sensitive protocol
Secure Shell (SSH) is a well-designed protocol with good cryptography for secure access to remote devices. It is also one of the most widely used protocols, making it a popular target for cyber criminals who want to access and control corporate devices. Sixty-four percent of organizations have at least one device that connects to the public internet using this protocol. In 32 out of 10.000 companies, 32 devices are at risk.
LDAP load is high
Lightweight Directory Access Protocol (LDAP) is a vendor-agnostic application protocol that manages distributed directory information in an organized, easily queryable manner. Windows systems use LDAP to look up usernames in Active Directory. By default, these queries are transmitted in clear text, giving attackers the ability to glean usernames. With 41% of organizations having at least one device that exposes LDAP to the public internet, this sensitive protocol has an outsized risk factor.
Cyber Risks: Open Database Protocols
Database protocols allow users and software to interact with databases, inserting, updating, and retrieving information. When an unprotected device listens to a database log, it also gives away the database. Twenty-four percent of organizations have at least one device that exposes Tabular Data Stream (TDS) to the public Internet. This Microsoft protocol for communicating with databases transmits data in clear text and is therefore vulnerable to eavesdropping. Transparent Network Substrate (TNS), essentially the Oracle version of TDS, is exposed on at least one device at 13% of organizations.
File server logs at risk
Looking at the four log types (file server logs, directory logs, database logs, and remote control logs), the vast majority of cyberattacks are against file server logs, where attackers move files from one location to another. Thirty-one percent of organizations have at least one device that exposes Server Message Block (SMB) to the public Internet. These devices are disclosed in 64 out of 10.000 companies.
Cyber Risks: FTP is not as secure as it could be
File Transfer Protocol (FTP) is not a full file access protocol. It streams files over networks and offers virtually no security. It transmits data, including usernames and passwords, in clear text so the data can be easily intercepted. Although there are at least two secure alternatives, 36% of organizations expose at least one device using this protocol to the public internet, and three out of every 10.000 devices.
The use of the protocol differs by industry: this is an indication that different industries invest in different technologies and have different requirements for storing data and interacting with remote users. Looking at all industries together, SMB was the most widespread protocol.
- In financial services, SMBs are at risk on 34 out of 10.000 devices.
- In healthcare, SMB is present on seven out of every 10.000 devices.
- In manufacturing, SMBs are exposed on two out of every 10.000 devices.
- In retail, SMB is exposed on two out of every 10.000 devices.
- In SLED, SMB is present on five devices out of every 10.000.
- In the tech industry, SMB is at risk on four out of 10.000 devices.
Businesses continue to rely on telnet
Telnet, an old protocol for connecting to remote devices, has been deprecated since 2002. Still, 12% of organizations have at least one device using this protocol for the public internet. As a best practice, IT organizations should disable telnet wherever it is found on their network.
"Ports and protocols are essentially the doors and hallways that attackers use to explore networks and wreak havoc," said Jeff Costlow, CISO at ExtraHop. “That's why it's so important to know what protocols are running on your network and what vulnerabilities are associated with them. This gives defenders the knowledge to make an informed decision about their risk tolerance and take action - like continually inventorying software and hardware in an environment, patching software quickly and continuously, and investing in tools for real-time insight and analysis - to improve their cybersecurity readiness.”
More at ExtraHop.com
About ExtraHop ExtraHop is dedicated to helping businesses with security that cannot be undermined, outwitted or compromised. The dynamic cyber defense platform Reveal (x) 360 helps companies to identify complex threats and react to them - before they put the company at risk. We apply cloud-scale AI to petabytes of traffic per day and conduct line rate decryption and behavioral analysis for all infrastructures, workloads and data on the fly. With the complete transparency of ExtraHop, companies can quickly identify malicious behavior, hunt down advanced threats and reliably forensic investigate every incident.