Most cybersecurity vendors at risk due to Internet-exposed IT assets

For all their domain expertise, many cybersecurity vendors are as dangerously exposed to Internet-borne threats as the customers their technologies are designed to protect.

Israel-based security vendor Reposify recently used its external attack surface management platform to scan the externally facing assets and networks of 35 major cybersecurity vendors and more than 350 of their subsidiaries over a two-week period. Reposify’s 24×7 Internet scans — like those of other vendors in the space — are designed to help organizations get an understanding of their attack surface and exposure so they can bolster or implement new controls where needed.

Reposify focused on externally facing infrastructure, applications, and user profiles, says Yaron Tal, founder and CTO at Reposify. This included everything from cloud-hosted databases; remotely accessed sites; Web-facing applications; internal network assets, such as portmappers, routers, switches, Web servers, storage, and backup; and development tools, he says.

The company’s scans showed a high percentage of cybersecurity vendors are dangerously exposed to many of the same threats they are supposed to help protect against. Nearly nine in 10 (86%) of the cybersecurity companies analyzed had at least one sensitive remote-access service exposed to the Internet, and 80% had exposed network assets. Sixty-three percent of the vendors had back-office networks that were directly accessible via the Internet, just over half (51%) had at least one exposed database, and 40% had exposed development tools.

Reposify found that like organizations in other industries, almost all cybersecurity vendors are at considerable risk of data loss and compromise from poorly protected data on public cloud services. Some 97% — in other words, nearly all — of the cybersecurity vendors that Reposify scanned over the two-week period had exposed data assets on Amazon Web Services (AWS) and other cloud infrastructure. Some 42% of those assets could be classified as being at either high or critical risk, Reposify said.

“Just one of these statistics is concerning enough,” Tal says. “But the combination points to a sincere need for the industry to better practice what it preaches,” he says.

Tal says the findings are consistent across the financial, pharmaceutical, and gaming sectors. Similar scans that Reposify did of companies in the pharmaceutical sector showed 92% of them had exposed databases, while 55% of organizations in the gaming industry and 23% in the finance sector had the same problem. What’s different about cybersecurity companies is they should know about the dangers of exposed assets on the Internet, he notes.

To read the complete article, visit Dark Reading.