Global Deep Scans – Measuring vulnerability levels across organizations, industries, and countries Fabian Bräunlein <fabian@srlabs.de> Luca Melette <luca@srlabs.de> SRLabs Template v12
Motivation for this talk ▪ We often get asked: How secure is my company compared to other companies? ▪ As researchers we can’t usually say much about a single company. Until now. ▪ We conducted a massive internet-wide scan to answer these questions: – How common are security issues on the Internet? – Where are issues least and most common? – Which organizations/industries/regions can we still learn from? ▪ Today, we make our research data public to – Encourage your further research – Help different industries to start interacting and learning from each other 2
Our goal: Enable a constructive conversation between companies and researchers Our research motivation Our vulnerability scan No Idea. All I know is that shows 23 different issue the one vulnerability I types for my organization. research affects 42,000 IPs Is that really bad? How do including one of yours. I compare to others? Security Officer Researcher Defense View Offense View The two views are hard to compare, which inhibits a constructive exchange between the two communities. This presentation discusses a Global Deep scan, which hopefully helps bridge the gap. 3
Companies and researchers look at very different vulnerability statistics Defense view Offense view Methodology Deep Scan Global Scan Find many vulnerabilities for the IPs of Find the prevalence of a single issue Objective a single company across the Internet Tooling Nessus, Qualys, Nexpose, … Shodan, Censys, Masscan , … Active IPs: 2,000 Scanned IPs: 20,000,000 ▪ Vulnerable Coldfusion ▪ Heartbleed Typical 4 2,500 ▪ Exposed VMWare ESXi result 3 ▪ Weak password example 3 ▪ Heartbleed 1 ▪ Minor TLS/SSL config issues 500 These two views are hard to compare. To compare security level across companies, we instead need scans that are Global & Deep 4
Agenda ▪ Research motivation ▪ Measuring hackability ▪ Global deep scan results ▪ Data for security evolution 5
Generic security issue types are prevalent across the internet Research scope: 827k active IPs – of 270 million IPs belonging to companies that we scanned Authentication and Unnecessary exposure Hardening gaps Missing patches credential issues Exposed Weak password 297 2.154 Accessible .git 3.369 Heartbleed 1.080 VMWare ESXi Example HTTP default Exposed Cisco Accessible Linux 129 412 898 RDP vulnerability 183 issues credentials SmartInstall home folder [Issues per million Unauthenticated Exposed HP Writable Vulnerable 54 376 548 103 Redis Remote Console anon FTP Coldfusion active IPs] Unauthenticated Exposed Lantronix 30 151 HTTP path traversal 307 Vulnerable Struts2 30 MQTT config ▪ Researchers focus on novel bug classes, while most issues found on the Internet are well-known issues ▪ The vast majority of Internet-exposed security issues would be addressed by basic security practices: Change default passwords, use a firewall well, harden your servers, and patch them regularly ▪ The fact that most companies we scanned seem to miss these practices shows a big gap between cutting-edge security research and tools, and issues responsible for most actual hacking 6
Security issues from four best practice areas are summarized in a Hackability Score 1. Scan to find issues 2. Compute Hackability Score Hackability Authentication and Missing patches Unnecessary exposure Hardening gaps sub-scores credential issues or end-of-life software ▪ Definition: The hackability score Use strong credentials Expose only minimal Configure assets Regularly install is the sum over set of services to securely, fix security updates Best practice Internet- hackers programming bugs exposed issues, multiplied by ▪ Tomcat with default ▪ Cisco Smart Install ▪ CMS backup files ▪ Apache Struts their severity class. Severity 4 or weak credentials exposed can be downloaded vulnerability x 8 ▪ NFS share ▪ Java Debug Wire ▪ Directory traversal ▪ HP iLO 4 – Exploit ▪ If one issue type mountable protocol exposed vulnerability is present Issue examples multiple times, ▪ Printer with default ▪ Java RMI exposed ▪ .git accessible ▪ Oracle TNS poison each additional Severity 3 Hacka- ▪ Industrial control ▪ Home directory credentials attack occurrence is – Exploit x 4 bility ▪ Weak SNMP pass ▪ Cisco iOS older system protocol exposed in web root weighted less to fragment score w/ write access exposed than 3 years account for the diminishing ▪ Known leaked TLS ▪ Database exposed ▪ Open SMTP relay ▪ EOL IIS Severity 2 return to the ▪ Server management ▪ DNS server allows ▪ EOL OpenSSH private key used – Best hacker x 1 ▪ Weak SNMP pass practice interface exposed zone transfers deviation w/ read access 7
Hackability Score example 1. Scan to find issues 2. Compute Hackability Score Server 1 Server 2 Weight Severity 4 - - No issues x 8 = - ▪ .git accessible Severity 3 - 1 issue x 4 = 4 2 times the same ▪ MySQL exposed ▪ MySQL exposed Severity 2 issue -> Count as : x 1 = 1.8 1.8 issues Hackability score ∑ 5.8 8
Our scan sample is composed of thousands of organizations globally Start with 4.000 companies Use global databases Aggregate information by company In building a representative 270 million IP addresses ▪ IP WHOIS dataset, we selected ▪ Domain WHOIS companies that: ▪ TLS certificates ▪ Are diverse in industry 1.3 million base domains and location ▪ Are large enough to have ▪ Industry their own technology ▪ Open datasets ▪ Financial data assets ▪ Google search ▪ Year of founding ▪ Reach an internet ▪ Manual search ▪ Headquarter location exposure threshold (i.e., ▪ Bug bounties have domain(s)) These preparation steps provide context for each IP address and domain in our scan 9
Agenda ▪ Research motivation ▪ Measuring hackability ▪ Global deep scan results ▪ Data for security evolution 10
The hackability of a company grows with the number of hosts it exposes to the Internet Analysis Interpretation ▪ The more hosts a company has exposed on the internet, the higher its hackability score ▪ This is intuitive as having a higher number of hosts exposed means more room for errors 11
Hackability grows slower than company size Analysis Interpretation ▪ Both the number of exposed hosts and the hackability score of a company increases with its revenue ▪ But it increases a lot slower than the revenue (logarithmic scale!) ▪ This is reassuring given the much larger investment into information security by large companies, and additional synergies of large security programs 12
Hackability varies widely across industries Research questions Analysis 1. Retail 8 Cloud providers, telcos, and ISPs Defense view 2. Insurance 10 are excluded Which industries from our analysis 3. Banking 10 can I learn from? because their IP ranges are 4. Pharma 10 typically shared with their 5. Real Estate 11 customers. Offense view (IP allocations for 6. Media 12 telco/ISP Which industries enterprise are the easiest 7. Software 13 customers show targets? a very high 8. Hardware 13 vulnerability count.) 9. Technology Srvcs 19 0 5 10 Average hackability 15 20 13
Europe is significantly more hackable per exposed host Research questions Analysis Interpretation # of 1k exposed hosts / USD 1b revenue Defense view Peers from which regions can still ▪ Hackability typically teach us something? 30 22 grows with the 5 number of technology assets Hackability / 1k exposed hosts exposed to the Internet ▪ Europe is an Europe’s security Offense view 52 best practice gap exception – fewer 44 39 Which regions have assets are exposed the most low- per company, but they hanging fruit are more hackable on targets? average North America Europe East Asia Technology progressive. The worst of both worlds. Technology conservative. Lots exposed, secured to Less technology exposed, Less exposed technology, an above-average level but more hackable on thereby less hackable average 14
Banks’ hackability mostly arises from missing patches, and is worst in Europe 17 12 Average 8 Hackability 4 Global average Banks in North Banks in East Offense view Banks in Europe for all industries America Asia If your goal is to hack a bank, you would look for Authentication and 11% 6% 6% 6% missing patches on credential issues unnecessarily exposed hosts, starting in Europe Unnecessary exposure 32% 37% 34% 27% Defense view Hardening gaps 37% 16% 20% 14% If you want to secure a bank in Europe, you should focus on patching, and then learn Missing patches 20% 41% 40% 53% on authentication and hardening from your peers Contribution of different issue types to overall Hackability in other regions 15
Older companies are slightly more hackable Analysis Interpretation Companies that were founded pre-Internet are slightly more hackable than companies with similar revenue founded later 16
Recommend
More recommend
