{"id":3467,"date":"2025-06-06T02:53:19","date_gmt":"2025-06-06T02:53:19","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3467"},"modified":"2025-06-06T02:53:19","modified_gmt":"2025-06-06T02:53:19","slug":"cisa-asks-cisos-does-that-asset-really-have-to-be-on-the-internet","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3467","title":{"rendered":"CISA asks CISOs: Does that asset really have to be on the internet?"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>The US Cybersecurity and Infrastructure Security Agency (CISA) this week issued guidance to infosec pros on ways they can find insecure IT and OT systems, including servers, databases, sensors, switches, routers, and industrial control systems, and shield them from the public internet.<\/p>\n<p>Misconfigured systems, default credentials, and outdated software are often easily discovered through free internet-based search and discovery platforms such as Shodan,\u00a0Censys.io\u00a0and Thingful, tools that crooks as well as defenders can use, the guidance warns.\u00a0And the discovery this week of an <a href=\"https:\/\/www.vpnmentor.com\/news\/report-passionapps-breach\/\" target=\"_blank\" rel=\"noopener\">unprotected 12TB database<\/a> of sensitive personal information exposed on the internet is yet another example of how these mistakes or unpatched vulnerabilities leave crucial information held by organizations exposed for plucking.<\/p>\n<h2 class=\"wp-block-heading\">Guidance from CISA<\/h2>\n<p>Solving the problem is simple for a CISO, the <a href=\"https:\/\/www.cisa.gov\/resources-tools\/resources\/exposure-reduction\" target=\"_blank\" rel=\"noopener\">guidance<\/a> said: Just ask, \u2018Does this have to be open to the internet?\u2019 <\/p>\n<p>That, of course, assumes they know every asset in their IT\/OT environment, which means, to begin with, every organization has to do an asset inventory. There\u2019s no shortage of vendors offering asset management software, and in some countries, their national cybersecurity agency (CISA in the US) may do vulnerability scans for organizations.<\/p>\n<p>Then the CISO has to evaluate which assets need to be internet-accessible for operational purposes by using these yardsticks:<\/p>\n<p><strong>Necessity<\/strong>:\u00a0Is the exposed system or service essential for operations?<\/p>\n<p><strong>Business justification<\/strong>:\u00a0What operational need requires this exposure?<\/p>\n<p><strong>Security measures<\/strong>:\u00a0Can you restrict access via VPNs or better secure it with multifactor authentication?<\/p>\n<p><strong>Maintenance<\/strong>:\u00a0Is the system or service up to date with the latest security patches?<\/p>\n<p>Assets and services that don\u2019t have to be open to the internet should either be disconnected or have their access restricted. But make sure the changes don\u2019t inadvertently disrupt essential services or operations, the CISA guidance adds.<\/p>\n<p>The third step is to mitigate risks to remaining exposed assets by:<\/p>\n<p>changing default passwords and enforcing strong authentication mechanisms;<\/p>\n<p>creating a patch management regime to ensure systems are patched;<\/p>\n<p>utilizing Virtual Private Networks (VPNs) to secure remote access;<\/p>\n<p>implementing multifactor authentication (MFA) where possible.<\/p>\n<p>Finally, CISOs should regularly review and monitor internet-accessible assets to make sure policy is being enforced.<\/p>\n<p>The guidance doesn\u2019t mention it, but employee awareness training also plays a role, because some or all staff may have the ability to put an asset unsafely online directly, or through the use of a cloud storage platform (for example, Dropbox or an Amazon S3 data bucket) or a cloud data processing service (for example, Amazon AWS, Microsoft Azure).<\/p>\n<h2 class=\"wp-block-heading\">How big is the problem?<\/h2>\n<p>It\u2019s not easy to quantify the number of breaches of security controls and data thefts due to unpatched assets, or assets being online when they shouldn\u2019t be, but the latest <a href=\"https:\/\/www.csoonline.com\/article\/3970094\/cybercriminals-switch-up-their-top-initial-access-vectors-of-choice.html?utm=hybrid_search\" target=\"_blank\" rel=\"noopener\">Verizon Data Breach Investigation report<\/a> says 60% of the breaches it looked at involved a human element (including misconfigurations, errors, and credential abuse).<\/p>\n<p>Credential abuse was an initial access factor in 22% of the breaches, closely followed by exploitation of vulnerabilities (20%).<\/p>\n<p>But CISOs need to ask themselves how many breaches of security controls during their careers were related to things that shouldn\u2019t have been exposed to the internet in the first place.<\/p>\n<p>Exposed assets, in particular, assets exposed without proper configuration and management, are a huge issue, said Johannes Ullrich, dean of research at the SANS Institute.<\/p>\n<h2 class=\"wp-block-heading\">Guidance \u2018covers the basics\u2019<\/h2>\n<p>\u201cThe data we collect at the Internet Storm Center shows that assets are scanned and discovered within minutes of being exposed,\u201d he said in an email. \u201cThe top targets are exposed telnet and SSH servers with weak passwords, web-based admin consoles for various devices (cameras, firewalls, network storage devices), and remote access tools like [Windows] RDP.\u201d\u00a0This has become an even larger problem with so many applications being deployed in the cloud, he added, which does make it much more difficult to restrict access to them.\u00a0<\/p>\n<p>\u201cThe CISA guidance is making good points and covers the basics,\u201d he said, \u201cbut the tricky part is to scale these efforts. Public search engines like Shodan and Censys are helpful [to infosec pros], but they should not replace regular scans from an external IP address.\u201d<\/p>\n<h2 class=\"wp-block-heading\">Additional defenses<\/h2>\n<p>The CISA recommendations fall into the category of core fundamentals that any organization has an obligation to address, said David Lewis, global advisory CISO at 1Password. \u201cDefense in depth is essential.\u201d<\/p>\n<p>While CISA\u2019s guidance provides a solid foundation, he suggested some enhancements that can be employed:<\/p>\n<p><strong>Identity and Access Management (IAM)<\/strong> is absolutely critical in cybersecurity. Misconfigurations and compromised credentials are significant vulnerabilities that plague our daily lives, especially as organizations adopt complex identity ecosystems. Incorporating detailed IAM strategies into exposure reduction efforts could strengthen the guidance.<\/p>\n<p><strong>Device Trust and Compliance<\/strong>: Security programs should work to ensure that only trusted, compliant devices access organizational resources. The risks posed by unmanaged or non-compliant devices, or shadow IT, can be exploited by attackers. Thus integrating device compliance checks into exposure assessments could enhance security.<\/p>\n<p>\u201cCISA\u2019s guidance offers valuable steps for reducing internet exposure,\u201d he said. \u201cHowever, incorporating comprehensive IAM practices, extended access management, and device compliance measures could provide a more robust defense against cyber threats. By addressing these areas, organizations can better protect themselves against breaches stemming from unnecessary internet exposure.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>The US Cybersecurity and Infrastructure Security Agency (CISA) this week issued guidance to infosec pros on ways they can find insecure IT and OT systems, including servers, databases, sensors, switches, routers, and industrial control systems, and shield them from the public internet. Misconfigured systems, default credentials, and outdated software are often easily discovered through free [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":3468,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3467","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3467"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3467"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3467\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3468"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3467"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3467"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3467"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}