Most Fortune 500 companies’ external IT infrastructure considered at risk

73% of Fortune 500 companies’ total IT infrastructure is external to the organization, of which 24% is considered at risk or has a known vulnerability The total IT infrastructure includes the IT assets that are owned and operated by vendors the Fortune 500 enterprises incorporated into their online footprint These IT assets include servers, cloud storage, CDNs, DNS (Domain Name Servers), email servers and other online elements 71% of total cloud-based IT assets are external to the organization, of which 25% failed at least one security test An example of cloud vulnerability includes cloud storage configured to allow anyone to read or write its contents Insecure login pages and vulnerable cloud assets On average, a Fortune 500 company’s infrastructure contains 126 different login pages for either customer or employee portals or services – the highest number was over 3,000 Nearly 10% of these login pages are considered insecure due to the transmission of unencrypted login data, or issues with SSL certificates, which helps ensure that the submission is being sent to the authorized destination 30% allow transmission over HTTP 12% have invalid certificates/encryption Hackers exploiting these logins could access a wealth of sensitive employee or customer data Fortune 500 organizations connect to an average of 951 cloud assets, of which nearly 5% are vulnerable to severe abuse For example, a misconfigured AWS bucket could allow hackers to read or overwrite the data which could be customer PII or application code The largest exposure was well over 30K cloud assets According to Gartner, “EASM is an emerging concept that is growing quickly in terms of awareness within the security vendor community but at a slower pace within end-user organizations… They help security professionals identify exposed vulnerabilities from known and unknown enterprise assets and prioritize the most critical issues to be tackled… EASM should be part of a broader vulnerability and threat management effort aimed at discovering and managing internal- and external-facing assets and their potential vulnerabilities.” Third-party vendors also adopting a distributed IT infrastructure Traditional third-party risk management solutions have focused exclusively on the vendors and the IT infrastructures that are directly connected to the enterprise. This approach ignores the true scale of the problem and represents only the tip of the iceberg.

Read full article on Help Net Security