Study Reveals State of External Exposure Management
CyCognito has published its latest State of External Exposure Management Report, which highlights the extent to which vulnerabilities affect organizations and how easy it is for hackers to exploit those vulnerabilities.
For the report, CyCognito’s researchers aggregated and analyzed 3.5 million digital assets across its customer base between June 2022 and May 2023, which includes small, medium, and large enterprises, including Fortune 500 companies.
The study found that 70% of web applications had severe security gaps, such as lacking web application firewall (WAF) protection and not using encrypted connections such as HTTPS, with 25% of web applications lacking both protections. A typical enterprise has more than 12,000 web apps such as APIs, SaaS applications, databases, and servers. The researchers found at least 30% of those web apps have more than 3,000 assets and had at least one exploitable or high-risk vulnerability.
The study confirmed the extent to which personally identifiable information (PII) is put at risk. 74% of assets containing PII were found to be exposed to at least one major exploit, and one in ten assets had at least one easily exploitable issue. While critical severity vulnerabilities are a major concern, for every easily exploitable critical vulnerability identified, there were 133 easily exploitable high, medium, or low severity issues.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
As CyCognito explains in the report, the attack surface is constantly changing and its research suggests the attack surface fluctuates by as much as 10% each month. That means that over the course of a year, thousands of new assets may have been added to the network and any one of those assets could contain an exploitable vulnerability. Because the attack surface is dynamic, organizations cannot make do with mapping it just once as the map created will be out of data almost immediately.
Naturally, there is a balance to be struck, so many organizations have a biannual or quarterly mapping cadence, although such infrequent mapping could result in serious gaps in awareness and coverage. “To stay aware of risks as soon as they appear, use frequent mapping and scanning of all assets to maintain an up-to-date, comprehensive understanding of your external attack surface,” suggests CyCognito.
Attention needs to be paid to web apps, which typically account for around 22% of the attack surface. They are easy to deploy, provide access to valuable data, connect businesses with employees and customers, and can have dozens of components, each of which can be affected by security issues. Organizations should ensure that web apps are properly protected with WAF and encrypted connections, especially those that provide access to PII or e-commerce platforms.
Addressing security issues is a never-ending process. It is important to ensure that the most serious issues are prioritized and addressed first. CyCognito recommends using context about affected assets and threat actor activity to identify the most serious threats to prioritize and not to rely on CVSS scores, as there may be a far greater risk from less severe flaws, which threat actors can easily exploit.
