Attack Surface Management benchmark
Across all sectors, attack surfaces are growing and becoming more dynamic and complex. Using anonymized attack surface management data from the Sweepatic Platform we recently launched a benchmark for three industries, to investigate and compare their online exposure and posture.
Three industries were selected for this attack surface benchmark: Telecom, Pharma and Healthcare. For each industry, a sample of national and international organizations was selected. Per company, a number of primary domain names was onboarded in the Sweepatic Platform. The names and data of these companies have been anonymized. The snapshot was taken on 28 January 2021.
The Sweepatic Platform performs security checks for the attack surface of organizations. We call them observations. They can relate to:
vulnerabilities: CVEs found in the attack surface.
encryption: issues or findings concerning SSL certificates.
attack surface hygiene: the overall “cleanliness” of your attack surface. For example: do you have a lot of status code errors on websites or Shadow IT floating around?
The benchmark insights are summed up in these categories below.
Sweepatic found that there are issues in every industry. Although Healthcare, for example, has a smaller attack surface, its observations’ priority ratio is comparable with the other 2 bigger industries. Additionally, Healthcare has more critical-high priority observations per 100 assets. Each industry can take a big step forward in terms of cyber resilience.
The key insight in terms of vulnerabilities found, is that due to the nature of the Telecom business, not only do they carry more online assets, but they also expose a lot more online services to the internet. Due to this fact, the Telecom industry has more vulnerabilities in their attack surface.
When we take a look at the critical-high priority vulnerabilities per 100 assets, however, we see that Healthcare scores higher.
In terms of SSL certificates, we see that the 3 industries are quite comparable. Sweepatic did find that Healthcare has newer versions of TLS protocols, maybe because a bigger part of their infrastructure is outsourced (e.g. Let’s Encrypt).
In Pharma we see that products (e.g. medication) often have a dedicated website without SSL. TLS policies might be softer in these type of web pages, because an attack on such display sites would have less impact on the business, compared to core infrastructure assets.
Attack Surface Hygiene
The bigger the attack surface, the more hygiene problems.
Status code errors and default servers per website are most prominent in the Telecom industry. The pharma industry with a smaller footprint can be found in a second place and finally the smaller footprint of the Healthcare industry shows the smallest attack surface hygiene problems
We can conclude that all three sectors are exposing issues online, including critical vulnerabilities, encryption problems and attack surface hygiene concerns.
Additionally, these issues are detectable by bad actors without using disruptive scanning tools. The Sweepatic Platform was able to detect the issues using passive reconnaissance techniques, similar to what bad actors are doing on a daily basis to select their targets.
Three steps can help you make your organization more cyber resilient: (1) map all your internet-facing assets and check them regularly, (2) embrace automation, (3) update IT and remove what no longer has a business justification. Read more about this last step in our blogpost about attack surface reduction.
If we sparked your interest and you would like to know more about Attack Surface Management or how your organization compares within your industry, schedule your personalized demo with one of our experts and click here!
Feel free to subscribe to our newsletter to stay in the loop. We promise we won’t spam you.