At Kobalt, we are focused on addressing the cyber security monitoring needs of small and mid-sized organizations, with an initial focus on technology and SaaS companies. As part of our service, we gather data on our client’s environments from an external viewpoint, to help them understand vulnerabilities they’re exposing to the Internet in order to reduce their risks. We use a variety of automated tools and methodologies, and decided to do a study against our target market to understand how wide-ranging some of these risks were.
We used passive external monitoring to perform discovery on 1074 organizations across BC, Alberta and Ontario. These organizations ranged from 20-250 employees, and were all in either technology or SaaS based businesses.
Notes of interest:
1074 top level organizational domains mapped to 21,855 subdomains.
More subdomains means more surface area to protect. Old and legacy systems can be forgotten, left unpatched, data can leak out, and compromises can lead to an entry point further into the organization.
374 of the 1074 (35%) organizations had a high or critical vulnerability that was unpatched and exposed directly to the Internet.
With automated scripting, attackers have built massive sets of compromised sites (sometimes measuring in the hundreds of thousands). Our survey only looked at the top level service (ie, version of Apache) and it is possible a deeper investigation could also have led to discoveries of vulnerabilities in more sites in applications like WordPress, Drupal, Magento, etc. Of those 374 organizations, 32 had at least one vulnerability with a Common Vulnerability Scoring System (CVSS) score of 10 – the highest level and an indication of easy, remote exploits being available.
28 of the 1074 (2.6%) still have systems vulnerable to Heartbleed attacks.
Heartbleed allows for easy theft of client data by a remote attacker, taking advantage of long since resolved vulnerabilities in the OpenSSL libraries running many web services. This vulnerability was disclosed in April 2014, meaning that companies have had over 5 years to resolve this weakness. Famously, Heartbleed was used by attackers to steal 900 social security numbers from the CRA website over a six hour period in 2014, causing them to take their website offline in peak tax season to resolve the issue. A more significant attack impacted over 4.5 million patient records at Community Health Systems.
235 of the 1074 (21.9%) have open database ports exposed to the Internet, 174 have discoverable connections to S3 buckets.
An open database port is not an indication of vulnerability, but is a potential significant risk. Allowing direct discovery and access to these ports rather than restricting them to trusted IPs or sites is a welcoming beacon to attackers, who can take advantage of exploits as soon as they become available to slurp up organizations data. We discovered exposed SQL, MySQL, Postgres, MongoDB services, all of which have had significant vulnerabilities in the last few years.
120 of the 1074 (11.1%) have exposed RDP or VNC services.
On May 14th of this year, Microsoft issued a critical security alert for CVE-2019-0708, a wormable RDP vulnerability. They even went so far as to offer patches for long unsupported Windows XP, Server 2003 and Vista. While RDP is a useful tool for support teams and remote employees alike, offering unrestricted, exposed access to this service, easily discoverable over the Internet, is high risk behaviour.
50 of the 1074 (4.7%) have exposed SMB services.
SMB is largely designed for LAN services and if exposed to the Internet should be done so in a way that doesn’t allow for easy discovery, like conducted in our survey. It tells attackers you likely have other weaknesses in your environment and would be an easy target.
Why do you care
If your organization has long standing, exposed vulnerable services to the Internet, it is a signal that your overall security program has significant development to do. Increasingly, customers are demanding their suppliers have better security and acquiring companies are starting to perform security specific diligence when making acquisitions. You might get lucky with one security incident or five, but eventually a fire will burn the house down and it’s only a matter of time. Success in cyber security is increasingly becoming an existential issue for small and mid-sized businesses.
Many of these vulnerable services can be easily patched, pulled offline if no longer meaningful to the business, or restricted to limited IP space to reduce threats. As a courtesy, we’ll be reaching out to many organizations that have highly risky services exposed as a follow-up to this study. Hopefully, your organization is not one of them, but if you’d like to request a sample report for your organization to review, please contact us. We provide external monitoring as a component of our comprehensive cyber security monitoring offer, and as an affordable standalone service that can complement your security program.