The COVID-19 pandemic expanded the number of new remote work environments and rapidly accelerated advances in business technology operations for all organizations. This digital transformation encouraged many enterprises to re-prioritize their cybersecurity strategy. In the past two years, more enterprises began to increase their investment in network detection and response, as well as on educating internal and external stakeholders about best practices in cybersecurity.
Despite these gains in cybersecurity defense strategies, earlier this year experts around the world noticed an alarming rise in cyberthreats after the Russian invasion of Ukraine. The threat level was so high that the US Cybersecurity and Infrastructure Security Agency (CISA) issued its first-ever Shields Up notice warning that the Russian government and its allies (both nation-state and independent) were likely to increase cyberattacks against Western governments and organizations in retaliation for their support of Ukraine.
The Shields Up notice also provided guidance for organizations to strengthen their overall security posture, starting with reducing the likelihood of a damaging cyber intrusion. It outlines essential steps security teams should take, including:
- Update software, prioritizing those that address known exploited vulnerabilities
- Disable all ports and protocols that are not essential
- Implement strong cloud controls
- Quickly identify and assess unusual network behavior
As a cybersecurity company, one recommendation we honed in on is helping organizations disable all unnecessary or insecure ports and protocols. This guidance may seem straightforward, but our threat research team at ExtraHop conducted a study on the prevalence of insecure protocols and found that a surprising number of organizations still expose, either as a calculated risk or as a result of misconfiguration, notoriously insecure protocols like Server Message Block version 1 (SMBv1) to the internet.
To help IT leaders assess their risk posture and attack surface visibility relative to other organizations, our research team took a deeper look at network protocols that are exposed to the public internet. The findings were published in the ExtraHop Benchmarking Cyber Risk and Readiness report, which analyzes the cybersecurity posture of organizations based on open ports and sensitive protocol exposures.
Benchmarking Cyber Risk Assessment Key Findings
Among the respondents surveyed, there was a high number of organizations with exposed database protocols. Database protocols enable users and software to interact with databases, inserting, updating, and retrieving information. When an exposed device is listening on a database protocol, it exposes the database and its critical and sensitive information. We found that 24% of organizations expose Tabular Data Stream (TDS, often used by Microsoft SQL Server) and 13% expose Transparent Network Substrate (TNS, often used by Oracle) to the public internet. Both are protocols for communicating with databases that transmit data in plaintext.
Findings revealed that organizations’ Lightweight Directory Access Protocol (LDAP) exposure is also high. LDAP is a vendor-neutral application protocol that maintains distributed directory information in an organized, easy-to-query manner. Windows systems use LDAP to look up usernames in Active Directory. By default, these queries are transmitted in plaintext. With 41% of organizations having at least one device exposing LDAP to the public internet, this sensitive protocol has an outsized risk factor.
One of the most alarming findings noted is that some organizations continue to leverage Telnet. Telnet, an old protocol for connecting to remote devices, has been deprecated since 2002. Yet 12% percent of organizations surveyed have at least one device exposing Telnet to the public internet. As a best practice, IT organizations should disable Telnet anywhere it is found on their network – it is an old, outdated and very insecure protocol.
Additional Findings
- SSH is the Most Exposed Sensitive Protocol: Secure Shell (SSH) is a well-designed protocol with good cryptography for securely accessing remote devices. It is also one of the most widely used protocols, making it a favorite target for cybercriminals looking to access and control devices across an enterprise. Sixty-four percent of organizations have at least one device exposing this protocol to the public internet.
- File Server Protocols At Risk: In looking at the four protocol types (file server protocols, directory protocols, database protocols, and remote control protocols), the vast majority of cyberattacks occur in file server protocols, which involve attackers moving files from one place to another. Thirty-one percent of organizations have at least one device exposing Server Message Block (SMB) to the public internet.
- FTP is Not As Secure As it Can Be: File transfer protocol (FTP) is not a full-service file access protocol. It sends files over networks as a stream and offers practically no security. It transmits data, including usernames and passwords, in plaintext, which makes its data easy to intercept. While there are at least two secure alternatives, 36% of organizations expose at least one device using this protocol to the public internet.
- Protocol Usage Differs by Industry: This is indicative of different industries investing in different technologies and having different requirements for storing data and interacting with remote users. When considering all industries together, SMB was the most prevalent protocol exposed.
- In financial services, SMB is exposed in 28% of organizations.
- In healthcare, SMB is exposed in 51% of organizations.
- In manufacturing, SMB is exposed in 22% of organizations.
- In retail, SMB is exposed in 36% of organizations.
- In state and local government, SMB is exposed in 45% of organizations.
- In tech, SMB is exposed in 19% of organizations.
Long-Term Impact of Exposed Protocols
Oftentimes, organizations aren’t aware these sensitive protocols are exposed. It could be through simple human error or because of default settings that these sensitive protocols are exposed. Other times it’s a lack of security understanding from IT teams setting up their network configurations.
Many of these protocols are connected to sensitive information – passwords in plain text, Active directory usernames (where sadly the password is often “admin”) and other sensitive information that can make it very easy for cybercriminals to gain access to your environment, critical or sensitive information, and even your intellectual property. We know that SMBv1 is vulnerable to EternalBlue, a serious and well-known exploit that allows hackers to gain remote access and has been used to propagate the infamous WannaCry ransomware.
Safeguarding Your Organizations Against Exposed Protocols
Organizations in every industry should perform a risk assessment to understand their own use of network protocols, especially their use of protocols exposed to the internet. Some of these protocols such as SMBv1 and Telnet are inherently risky. IT leaders should do everything they can to remove them from their environments. The other protocols highlighted in the report findings are risky when exposed to the public internet, making them a target for cybercriminals. By analyzing their own network and device configurations and traffic patterns, organizations can better understand their security risks and take action to improve their cybersecurity readiness.
To continue to monitor the network, organizations should build and maintain an inventory of software and hardware in their environment so defenders can track what is being used and where. Having a baseline of “normal” makes it easier to spot anomalous, potentially malicious behavior.
To learn more about the survey findings, read the full ExtraHop Benchmarking Cyber Risk and Readiness report.