First of its kind global report reveals hospitality, telecom industries are most vulnerable to undiscovered network breaches and offers ways to mitigate risk.Key Findings
The report analyzed the attack surface of 1,500 companies, uncovering more than 202,000 Common Vulnerabilities and Exposures (CVEs), 49% of those being classified as “Critical” or “High” severity
The report found nearly 400,000 servers exposed and discoverable over the internet for these 1,500 companies, with 47% of supported protocols being outdated and vulnerable
Public clouds posed a particular risk of exposure, with over 60,500 exposed instances across Amazon Web Services (AWS), Microsoft Azure Cloud, and Google Cloud Platform (GCP)
ZENITH LIVE, SAN JOSE, Calif. – June 15, 2021 – Zscaler, Inc. (NASDAQ: ZS), the leader in cloud security, today announced the release of “Exposed”, the industry’s first global report on the state of corporate attack surfaces. Based on data sourced between February 2020 and April 2021, the report provides a first-ever look at the impact of attack surface exposure during the COVID-19 pandemic. In the report, Zscaler notes that as businesses began offering more remote work options, their attack surfaces grew concurrently with their dispersed workforce. Coupled with increased reliance on public cloud services and vulnerable enterprise VPNs, large organizations not using zero trust security became more vulnerable to network intrusion attacks. “Exposed” identifies the most common attack surface trends by geography and company size while spotlighting the industries most vulnerable to public cloud exposure, malware, ransomware, and data breaches.
“The sheer amount of information that is being shared today is concerning because it is all essentially an attack surface,” said Nathan Howe, Vice President, Emerging Technology at Zscaler. “Anything that can be accessed can be exploited by unauthorized or malicious users, creating new risks for businesses that don’t have complete awareness and control of their network exposure. Our goal with this report is to provide a view of what the internet sees of a company’s information landscape and offer useful tips on how to mitigate risk. By understanding their individual attack surfaces and deploying appropriate security measures, including zero trust architecture, companies can better protect their application infrastructure from recurring vulnerabilities that allow attackers to steal data, sabotage systems, or hold networks hostage for ransom.”
While attack surface vulnerabilities impact organizations of all sizes, major international companies with more than 20,000 employees are more vulnerable due to their distributed workforce, infrastructure, and greater number of applications that need to be managed. To better understand the scale of the problem, Zscaler analyzed organizations in all geographies, partitioning the findings from 53 countries into three regions for ease of understanding – the Americas, EMEA, and APAC.
EMEA at RiskThe report found that while 59 percent of surveyed organizations were based in the Americas, the EMEA region led the world in overall exposure and potential risk, with 164 CVE vulnerabilities. EMEA-based businesses had the most exposed servers, with an average of 283 exposed servers and 52 exposed public cloud instances each. They were also more likely to support outdated SSL/TLS protocols and had greater risk of CVE vulnerabilities on average. The EMEA region was followed by the Americas, with 132 CVE’s (20 percent lower than EMEA), and APAC, with an average of 80 CVE possible vulnerabilities (51 percent lower than EMEA).
While the report demonstrated that EMEA businesses had the most online exposure, all regions showed vulnerabilities, making it critical for IT teams to adopt best practices, including zero trust security, to minimize the attack surface and eliminate exposure no matter where they are based.
Top Exposed IndustriesIn addition to presenting geographic data, the report tracked corporate attack surfaces by industry, pinpointing the types of organizations most likely to be targeted by cybercriminals. The report analyzed a diverse group of companies, spanning 23 different industries, and found that telecommunications organizations were the most vulnerable and had the highest average number of outdated protocols in their servers. Telecom companies had the third highest average of exposed servers to the internet, increasing the risk of being targeted by cybercriminals for DDoS and double extortion ransomware attacks.
The report also showed that the hospitality industry – including restaurants, bars, and food service vendors – had the highest average of exposed servers and public cloud instances; with AWS instances exposed 2.9 times more often than any other cloud providers. With the COVID-19 pandemic pushing many restaurants to offer online ordering, the rapid adoption of digital payment systems has increased risks for both businesses and customers.
Three Steps to Reduce an Attack SurfaceWith the number of cyberattacks increasing daily, business IT teams must minimize their attack surface as part of an overall organizational security policy. Without comprehensive security measures, such as a zero-trust model, digital transformation initiatives and cloud migration efforts can also create new vectors of attack and threaten business continuity, professional reputation, and employee safety. Although no approach will be completely effective, Zscaler recommends the following tips for minimizing corporate network risks:
Know your exposure: Knowing your visible attack surface is key to effective risk mitigation. As more and more applications move to the cloud, it becomes mission-critical to be aware of network access points that are exposed to the internet. Remember, if it can be found by your employees, it can also be found by criminals.
Know your potential vulnerabilities: Stay current with the latest updates to the CVE database. Be sure to remove support for older TLS versions from servers to reduce risk.
Adopt practices that minimize risk: Many different technologies exist to provide visibility into IT and cloud infrastructure and implement zero trust. The Zscaler Zero Trust Exchange™platform helps IT security teams bring zero trust security to every digital business, strengthens safe web access, and dramatically simplifies the adoption of zero trust policies.
For more information, including access to the full report, please see “Exposed”: The world’s first report to reveal how exposed corporate networks really are. Prospective and existing customers can also sign up to run their own website through the Zscaler attack surface analysis here.
Lisa Lorenzin, Senior Director of Transformation Strategy at Zscaler, will be discussing the “Exposed” research results and the tool used to complete the attack surface analysis in an upcoming Zenith Live 2021 session: Secure Access to Private Apps: The Cornerstone to your Zero Trust Journey; scheduled for June 15, 2021, at 11:30am PT.
Zscaler (NASDAQ: ZS) accelerates digital transformation so customers can be more agile, efficient, resilient, and secure. The Zscaler Zero Trust Exchange protects thousands of customers from cyberattacks and data loss by securely connecting users, devices, and applications in any location. Distributed across more than 150 data centers globally, the SASE-based Zero Trust Exchange is the world’s largest in-line cloud security platform.
Zscaler™ and the other trademarks listed at https://www.zscaler.com/legal/trademarks are either (i) registered trademarks or service marks or (ii) trademarks or service marks of Zscaler, Inc. in the United States and/or other countries. Any other trademarks are the properties of their respective owners.
Recommended Reading:More Insights
BRIEFColorado Attorney General Phil Weiser speaks during a media briefing on Aug. 17, 2020. (Moe Clark/Colorado Newsline)
For nearly a year, hackers who got inside a national company’s email accounts had access to hundreds of Coloradans’ confidential personal information, according to a statement from state Attorney General Phil Weiser. The company, which manages mobile home parks, allegedly took 10 months to notify the employees and customers whose information was exposed.
Weiser announced Monday that Impact Mobile Home Communities must pay his office $25,000 and implement new safety measures, under the terms of a settlement. Nationwide, more than 15,000 people — including 719 in Colorado — had their sensitive information exposed in the October 2018 Impact MHC hack, and the hackers had access to the information until July 2019. It was another 10 months before Impact MHC notified the affected employees and customers, according to the settlement.
“Now more than ever companies must remain vigilant in the digital world,” Weiser said in the statement. “A data breach like the one at Impact MHC can put important consumer financial and personal information in the hands of the wrong people and cause significant harm to Coloradans and their families, as we have seen recently with regard to the unemployment insurance fraud that has led to over one million fraudulent claims. We will continue to hold companies accountable for safeguarding residents’ data.”
The money Impact MHC must pay to the attorney general’s office will be used for the state’s costs and attorney’s fees, payment if needed of restitution, and “future consumer fraud or antitrust enforcement, consumer education, or public welfare purposes,” according to the settlement terms.
Colorado’s data security laws require individuals and organizations that hold personal identifying information to create a policy governing the destruction of data. This type of data includes Social Security numbers, passwords, driver’s license numbers and more.
Under existing state law, people and entities also must take reasonable steps to protect others’ personal information, and must notify customers or employees about security breaches. Colorado law generally requires companies to provide notice of a data breach no later than 30 days after it happens, according to the statement from Weiser’s office.
The Colorado General Assembly recently passed new legislation, Senate Bill 21-190, that would further regulate how companies protect personal data. The bipartisan team spearheading the legislation included Sens. Robert Rodriguez, a Denver Democrat, and Paul Lundeen, a Monument Republican, along with Reps. Monica Duran, a Wheat Ridge Democrat, and Terri Carver, a Republican from Colorado Springs.
If Gov. Jared Polis signs SB-190 into law, starting in 2023 consumers would be able to opt out of having their personal data processed by a company, and would have the right to access, correct or delete the data. Just two other states, California and Virginia, have passed similar laws.
The Colorado attorney general would have the authority to write rules for companies to follow in order to comply with SB-190. The state attorney general or district attorneys could penalize companies that violated SB-190’s requirements, using existing laws around deceptive trade practices.
At a time when enterprises have heightened concerns over securing home networks for remote workers, VMware is launching Cloud Web Security, a cloud-hosted security service for employees accessing SaaS and Internet applications.
Cloud Web Security is the fourth SASE service VMware has launched. Combined with VMware’s existing SD-WAN, Secure Access and AIops services, the vendor says Cloud Web Security provides security for cloud applications for employees working at any location.
In addition, Cloud Web Security is delivered via VMware’s 150 global SASE points of presence (PoPs), which is beneficial to users from a performance standpoint, says Sanjay Uppal, SVP & GM, Service Provider and Edge Business Unit (SEBU) at VMware. The vendor’s PoPs were initially built in partnership with service providers to provide SD-WAN services, but Uppal says VMware has since added additional SASE services available via the PoPs.
Prior to this announcement, VMware had a PoP to PoP integration with security supplier Zscaler. “What we’re announcing is VMware Cloud Web Security in our own PoP – you get these security services without ever exiting the PoP,” explains Uppal. Providing security within VMware’s PoP simplifies service management and provides a higher level of security, he adds.
“Security, like other functions, is moving away from the premise, and into the cloud, the network and the edge,” says Uppal. “The applications are getting highly distributed and it doesn’t make sense to send the traffic back to a data center only to have it leave. The changing nature of an enterprise application is one of the major drivers to announcing Cloud Web Security.”
In addition, Uppal says home networks are more complicated than enterprise networks and IT teams need a simplified way to address security for remote users.
Cloud Web Security also provides SSL proxy with decryption to inspect most SSL encrypted web applications. IT teams can control which websites employees access, and what kind of content they can upload with URL filtering. In addition, the security service inspects content virus signatures and Day zero malware attacks, and provides IT with traffic and threat visualization logs. IT can also configure and apply security policies to business policies via a centralized orchestrator to provide consistency in policy management for users, including remote workers. Uppal says IT teams don’t have to install any software on-premise or add any additional hardware to utilize the Cloud Web Security service.
Mike Frane, VP of Product Management for SD-WAN with Windstream Enterprise, says the service provider is working with VMware to add Cloud Web Security to its managed SD-WAN platform; the additional security service will be available to Windstream’s SD-WAN customers later this year. Windstream’s enterprise customers are speeding up their cloud migrations, in part to cope with the increasing need to provide business applications to remote workers, says Frane.
“Our customers are asking for security more so than ever,” says Frane. “We’ll be able to quickly integrate [VMware’s Cloud Web Security] into our solution because they’re focused on the cloud-based delivery.”
At the beginning of the pandemic, Windstream’s customers expedited their use of VMware and Winstream’s Secure Remote Access service. Customers are now rethinking their approach to security as well, says Frane.
“A lot of our customers have accelerated their cloud migrations over the last year,” explains Frane. “There’s a shift in their mindset from needing to get to their network and the cloud. They want to get to the cloud and also their network – the cloud is becoming primary so they’re shifting their thinking about where they need to put the security envelope and what wrapper they need to put around that new model.”
Enterprises don’t have time to waste adding additional cloud security – Verizon’s recent Data Breach Investigations Report [DBIR] examined new threats to enterprises from the cloud and found that attacks on web applications amount to 39% of all breaches.
“We are seeing more external cloud assets than on-premise assets that are involved in breaches,” Suzanne Widup, co-author of the DBIR report and senior principal of Threat Intel for Verizon Business, told Light Reading. “A lot of cloud email is being hacked quite a bit and resulting in data breaches … it’s the credential reuse problem and that these companies don’t implement two-factor authentication to make these re-used credentials less valuable.”
— Kelsey Kusterer Ziser, Senior Editor, Light Reading
Cyber Decoy Tech
The Department of Energy’s (DOE) Pacific Northwest National Laboratory (PNNL) has produced the technology designed to trick hackers into thinking they are successful in disrupting target networks.
PNNL said on June 2nd that its Shadow Figment cybersecurity platform uses artificial intelligence to deceive attackers and have them attack a real-time decoy. Shadow Figment is designed to protect the electric grid, water systems and other forms of physical infrastructure from cyber threats.
“Our intention is to make interactions seem realistic so that if someone is interacting with our decoy, we keep them involved, giving our defenders extra time to respond,” said Thomas Edgar, a cybersecurity researcher with PNNL and the lead for Shadow Figment’s development.
The laboratory is working to patent Shadow Figment and has licensed Attivo Networks to commercialize the technology. Edgar and his team published their research findings on the Journal of Information Warfare.
If you want to learn more about the federal government’s cybersecurity pursuits and standards, check out the Potomac Officers Club’s 2021 Cybersecurity Maturity Model Certification Forum on June 16th. Register here,
SAN DIEGO, June 15, 2021 (GLOBE NEWSWIRE) — Kratos Defense & Security Solutions, Inc. (Nasdaq: KTOS), a leading National Security Solutions provider, announced today that it has been named by the federal government as one of the first two CMMC Third Party Assessment Organizations (C3PAO). As a C3PAO, Kratos will be able to conduct CMMC Level 1-3 assessments once the government completes certain preparatory and authorization steps. The CMMC is a new unified security standard and a certification process developed by the U.S. Department of Defense (DoD) to protect the security of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within the Defense Industrial Base (DIB). In accordance with recent updates to DFARS 252.204, the Office of the Under Secretary of Defense (OUSD) will begin a phased rollout requiring contractors to achieve CMMC certification. Once the rollout is complete, nearly all companies seeking to respond to DoD proposal requests will require CMMC certification. Kratos has years of robust experience in compliance and certification, risk management and cyber operations, defense and engineering. Services include vulnerability assessments, enterprise security architecture design, application security testing and risk management processes. Kratos cybersecurity services support the development and operation of proactive cybersecurity programs, the development of enterprise cloud security strategies, and the establishment of sound and practical information security architectures tailored to organizational needs. Mark Williams, Vice President, Kratos Cybersecurity Services explained: “As a member of the DIB Kratos underwent a rigorous assessment by the Defense Industrial Base Cybersecurity Assessment Center, which was a key factor in its early C3PAO authorization by the CMMC AB.” Once authorized to begin conducting assessments. Kratos’ Provisional Assessor-led teams will conduct the CMMC assessments that consist of up to four phases. The Planning phase includes assessment plan development and an assessment readiness review. The Assessment phase includes collecting and validating the required Objective Evidence (OE) and generating final results. Presentation of the results occurs in the Report Findings phase. If issues are identified in the Report Findings phase, the Remediation phase is dedicated to evaluating remedial actions taken. Depending on the assessment complexity Kratos estimates that most assessments will be completed in four to six weeks. Phil Carrai, President of Kratos Space, Training and Cyber Division highlighted the importance of a robust CMMC program. “The recent spate of data breaches affecting both government and commercial organizations underscores the need for more robust security measures to protect critical information. For DoD this means increased protection of FCI and CUI data. CMMC will be a critical component of heightened security as all companies will need to pass strict CMMC security assessments before being awarded DoD contracts. Kratos is proud to be named one of the first C3PAOs. Our extensive experience in providing advisory and assessment services for compliance frameworks such as FedRAMP and others position us well to support CMMC.” For more information on Kratos’ CMMC services visit: https://www.kratosdefense.com/cmmc-c3pao. About Kratos Defense & Security SolutionsKratos Defense & Security Solutions, Inc. (NASDAQ:KTOS) develops and fields transformative, affordable technology, platforms and systems for United States National Security related customers, allies and commercial enterprises. Kratos is changing the way breakthrough technology for these industries are rapidly brought to market through proven commercial and venture capital backed approaches, including proactive research and streamlined development processes. Kratos specializes in unmanned systems, satellite communications, cyber security/warfare, microwave electronics, missile defense, hypersonic systems, training, combat systems and next generation turbo jet and turbo fan engine development. For more information go to www.KratosDefense.com. Notice Regarding Forward-Looking StatementsCertain statements in this press release may constitute “forward-looking statements” within the meaning of the Private Securities Litigation Reform Act of 1995. These forward-looking statements are made on the basis of the current beliefs, expectations and assumptions of the management of Kratos and are subject to significant risks and uncertainty. Investors are cautioned not to place undue reliance on any such forward-looking statements. All such forward-looking statements speak only as of the date they are made, and Kratos undertakes no obligation to update or revise these statements, whether as a result of new information, future events or otherwise. Although Kratos believes that the expectations reflected in these forward-looking statements are reasonable, these statements involve many risks and uncertainties that may cause actual results to differ materially from what may be expressed or implied in these forward-looking statements. For a further discussion of risks and uncertainties that could cause actual results to differ from those expressed in these forward-looking statements, as well as risks relating to the business of Kratos in general, see the risk disclosures in the Annual Report on Form 10-K of Kratos for the year ended December 27, 2020, and in subsequent reports on Forms 10-Q and 8-K and other filings made with the SEC by Kratos. Press Contact:Yolanda White858-812-7302 Direct Investor Information:firstname.lastname@example.org
Texas Governor Greg Abbott speaks in Dallas, Texas, U.S., May 4, 2018. REUTERS/Lucas Jackson/File Photo15-Jun-2021 – Texas has amended its data breach notification law, under HB 3746, requiring the state attorney general to post data breach notifications on a public website within 30 days of receipt and remove them after one year unless the notifying party reports another breach.On June 14, 2021 Texas Governor Greg Abbott signed HB 3746, which amended the state’s data breach notification law. Existing Texas law requires reporting of data breaches that affect 250 or more residents to the state attorney general within 60 days of discovery. The amendments:Require parties who experience a reportable data breach to include the number of affected residents that they have notified in their notification to the Texas Attorney General.Require the Texas Attorney General to:post on their publicly accessible website a listing of each data breach notification report within 30 days of receipt, maintaining only the most currently updated listing;exclude reported sensitive personal information or information that may compromise a system’s security or is confidential by law; andremove notification reports from the website after one year if the notifying party does not report another breach during that period.The amendments take effect on September 1, 2021.Opinions expressed are those of the author. They do not reflect the views of Reuters News, which, under the Trust Principles, is committed to integrity, independence, and freedom from bias.
(The Center Square) – Recent ransom attacks have been making national headlines, but criminals have been targeting Illinois as well.According to the U.S. Government’s Cybersecurity and Infrastructure Assurance Agency, “Ransomware is an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption.”A cyber attack took place on the computer systems of the St. Clair County government this month. County officials dealt with issues for an entire week. A ransomware group claimed responsibility for the attack. It is not known if the county paid a ransom.An April cyber attack on the Illinois Attorney General’s computers took control of confidential files containing personal data, essentially locking down the system office and statewide.Illinois Attorney General Kwame Raoul was warned just two months before the attack. A state audit cited “weaknesses in cybersecurity programs and practices.” It also found vulnerabilities susceptible to cyber attacks.Rebuilding is underway as officials are working with tech experts and law enforcement to understand the breach.Nicole Perlroth covers cybersecurity and digital espionage for the New York Times. During an online discussion Tuesday, she told the Paul Simon Public Policy Institute at Southern Illinois University that the U.S. is ripe for the picking for cybercriminals.“We are one of the most digitized nations in the world, we’re putting some of our most sensitive data and critical systems online, and all those systems aren’t controlled by the NSA or CyberCommand, they are controlled by private businesses,” Perlroth said.Perlroth said hackers can infiltrate a water treatment system all the way down to your cellphone through a vulnerability, or “zero-day.”“If I’m a hacker and I find a flaw in your iPhone’s IOS mobile software and Apple doesn’t know about it, I can write a code to exploit that,” Perlroth said.State Farm, headquartered in Bloomington, has offered guidance to small businesses on cybersecurity.The tips deal with everything from strong passwords, boosting card reader safety, to understanding how thieves work.According to the Federal Communications Commission, small businesses nationwide annually lose an average of nearly $80,000 as a result of cyber breach incidents.In 2016, Russian hackers penetrated Illinois’ election database.President Joe Biden is expected to address cybercrime when he meets with Russian President Vladimir Putin in Geneva this week.