KEY HIGHLIGHTS FROM THE REPORT
Defend Forward With New Insights Into Attack Surface Exposures
1/425 publicly accessible assets will become exploitable over a 12-month period
32% of exposures found are categorized as misconfigurations
20% of all findings are rated as critical or high in severity
Which Exposures Are Most Impactful?
Industry Breakdown by Exposure Severity
Looking at exposure severity distribution from an industry perspective, this is where the race against time starts to really come into play. Utilities rated very high in terms of number of exposures at 1,039, but only 9% of those total exposures have a critical or high severity rating, meaning that there are few instances where attackers have unabated, business impactful access to infrastructure in this industry.
On the other hand, while the number of Software and Services findings are significantly lower, the severity of those exposures tells a different story – indicative of a more vulnerable attack surface than meets the eye. Exposure severity clocked in at 26% for both critical and high ratings, highlighting this industry as the second highest ranked based on exposure severity.
Which Exposures Are Most Prevalent?
Industry Breakdown by Exposure Category
Looking at the exposures found categorically starts to paint a more detailed picture of the real dangers at hand. We’ve grouped our exposure findings into five categories with associated percentages to further analyze vulnerabilities across attack surfaces.
When analyzing the distribution across industries, it is evident that types of exposures vary greatly. For instance, the Utilities sector is most susceptible to vulnerable configurations (63%), while the Telecom industry is more susceptible to exposures related to sensitive information disclosure and insecure/exposed web service (66%).
WHAT IS SLIPPING THROUGH THE CRACKS?
Exploitable Exposures for Publicly Facing Assets
To visualize the real world business impacts of leaving exposures to chance, we produced a large-scale illustration of our findings in a propensity model at 100k publicly facing assets.
Here's what we found:
- 235 exposures will become exploitable across all industries over a 12-month period.
- Financial Services has a better track record than the industry average (119 exposures), no doubt due to good hygiene and mature security programs.
- However, Manufacturing stands at a significantly higher risk with 1,043 exposures.
Continuous Testing: How to Calculate ROI for Your Business
As attack surfaces rapidly expand and adversaries up the ante, our approach to security must evolve faster than ever. But justifying security solutions can be an uphill battle without knowing the impact it will have on your business.
Use our customizable calculation method to determine your ROI for a continuous offensive testing solution, which is purposefully designed based on cost savings and risk mitigation associated with a public breach resulting in data disclosure.
Find Attack Surface Exposures Before Adversaries Do
As the marketplace continues to explode with security offerings, it is important to put laser focus on the security needs of the external perimeter and improving on the time to beat attackers to the exposures that present business risk. This encompasses a complete strategy that not only discovers assets and exposures, but also validates exploitability under real-world conditions and prioritizes those that are most dangerous to business operations.
— The Bishop Fox Team
Check out these additional continuous offensive security resources.
John Deere Digital Security Journey: Securing Products Against Cyberattacks
To help ensure John Deere products are ready to withstand security threats, John Deere chooses Bishop Fox's Cosmos platform and product security reviews.
Looking Toward the Cosmos: Making the Case for Continuous Offensive Security
Download this eBook to uncover the factors and inputs used in our customizable ROI calculator that are critical to making the business case for continuous offensive testing. The output of the calculator is intended to help you draw a direct line from investment to risk mitigation that can be communicated to both technical and non-technical decision makers.
Notes from the Dark Side: What Our Data Reveals About the Attack Surface
Join our offensive security experts as they share insights gleaned from analyzing twelve months of findings captured in Cosmos, our award-winning attack surface management platform.
Are you ready? Start defending forward.
Are you ready to uncover your digital footprint and get a real-time, attacker’s view of your perimeter? Request a demo to see the Cosmos platform in action.