CISA asks CISOs: Does that asset really have to be on the internet?

The US Cybersecurity and Infrastructure Security Agency (CISA) this week issued guidance to infosec pros on ways they can find insecure IT and OT systems, including servers, databases, sensors, switches, routers, and industrial control systems, and shield them from the public internet.

Misconfigured systems, default credentials, and outdated software are often easily discovered through free internet-based search and discovery platforms such as Shodan, Censys.io and Thingful, tools that crooks as well as defenders can use, the guidance warns. And the discovery this week of an unprotected 12TB database of sensitive personal information exposed on the internet is yet another example of how these mistakes or unpatched vulnerabilities leave crucial information held by organizations exposed for plucking.

Guidance from CISA

Solving the problem is simple for a CISO, the guidance said: Just ask, ‘Does this have to be open to the internet?’

That, of course, assumes they know every asset in their IT/OT environment, which means, to begin with, every organization has to do an asset inventory. There’s no shortage of vendors offering asset management software, and in some countries, their national cybersecurity agency (CISA in the US) may do vulnerability scans for organizations.

Then the CISO has to evaluate which assets need to be internet-accessible for operational purposes by using these yardsticks:

• Necessity: Is the exposed system or service essential for operations?
• Business justification: What operational need requires this exposure?
• Security measures: Can you restrict access via VPNs or better secure it with multifactor authentication?
• Maintenance: Is the system or service up to date with the latest security patches?

Assets and services that don’t have to be open to the internet should either be disconnected or have their access restricted. But make sure the changes don’t inadvertently disrupt essential services or operations, the CISA guidance adds.

The third step is to mitigate risks to remaining exposed assets by:

• changing default passwords and enforcing strong authentication mechanisms;
• creating a patch management regime to ensure systems are patched;
• utilizing Virtual Private Networks (VPNs) to secure remote access;
• implementing multifactor authentication (MFA) where possible.

Finally, CISOs should regularly review and monitor internet-accessible assets to make sure policy is being enforced.

The guidance doesn’t mention it, but employee awareness training also plays a role, because some or all staff may have the ability to put an asset unsafely online directly, or through the use of a cloud storage platform (for example, Dropbox or an Amazon S3 data bucket) or a cloud data processing service (for example, Amazon AWS, Microsoft Azure).

How big is the problem?

It’s not easy to quantify the number of breaches of security controls and data thefts due to unpatched assets, or assets being online when they shouldn’t be, but the latest Verizon Data Breach Investigation report says 60% of the breaches it looked at involved a human element (including misconfigurations, errors, and credential abuse).

Credential abuse was an initial access factor in 22% of the breaches, closely followed by exploitation of vulnerabilities (20%).

But CISOs need to ask themselves how many breaches of security controls during their careers were related to things that shouldn’t have been exposed to the internet in the first place.

Exposed assets, in particular, assets exposed without proper configuration and management, are a huge issue, said Johannes Ullrich, dean of research at the SANS Institute.

Guidance ‘covers the basics’

“The data we collect at the Internet Storm Center shows that assets are scanned and discovered within minutes of being exposed,” he said in an email. “The top targets are exposed telnet and SSH servers with weak passwords, web-based admin consoles for various devices (cameras, firewalls, network storage devices), and remote access tools like [Windows] RDP.” This has become an even larger problem with so many applications being deployed in the cloud, he added, which does make it much more difficult to restrict access to them. 

“The CISA guidance is making good points and covers the basics,” he said, “but the tricky part is to scale these efforts. Public search engines like Shodan and Censys are helpful [to infosec pros], but they should not replace regular scans from an external IP address.”

Additional defenses

The CISA recommendations fall into the category of core fundamentals that any organization has an obligation to address, said David Lewis, global advisory CISO at 1Password. “Defense in depth is essential.”

While CISA’s guidance provides a solid foundation, he suggested some enhancements that can be employed:

• Identity and Access Management (IAM) is absolutely critical in cybersecurity. Misconfigurations and compromised credentials are significant vulnerabilities that plague our daily lives, especially as organizations adopt complex identity ecosystems. Incorporating detailed IAM strategies into exposure reduction efforts could strengthen the guidance.
• Device Trust and Compliance: Security programs should work to ensure that only trusted, compliant devices access organizational resources. The risks posed by unmanaged or non-compliant devices, or shadow IT, can be exploited by attackers. Thus integrating device compliance checks into exposure assessments could enhance security.

“CISA’s guidance offers valuable steps for reducing internet exposure,” he said. “However, incorporating comprehensive IAM practices, extended access management, and device compliance measures could provide a more robust defense against cyber threats. By addressing these areas, organizations can better protect themselves against breaches stemming from unnecessary internet exposure.”