- More than one-quarter of companies cite data stores as the most common "unsafe" service and at risk of unintended exposure, according to a report by RiskRecon, a Mastercard company. The assessment included "millions of internet-facing systems" in more than 40,000 commercial and public institutions. Almost 13% of unsafe services are remote access accounts and 5% are network administration.
- Of the unsafe data stores, MySQL "is clearly the biggest offender," according to the report. More than 24% of companies expose at least one MySQL database to the internet. Other top database offenders include PostgreSQL, Samba, and Microsoft SQL Server.
- The most unsafe remote access services are Remote Desktop Protocol (RDP), Point-to-Point Tunneling Protocol (PPTP), and Telnet, according to the report. However, the remote access services and MySQL are not as problematic when compared to services found with high or critical security issues. The severity of ElasticSearch and MongoDB exposure to the internet is four to five times higher than the baseline, when compared to services that don't run on internet-facing hosts, according to the report.
Some of the most publicized breaches led back to exposed databases or cloud configuration mismanagement. Some security controls, such as web applications firewalls, are deployed with default settings companies leave untouched. The same excuse isn't applicable to other network services, like MySQL.
"The issue is that organizations are failing to implement the basic, longstanding practice of network filtering to limit services to the internet that are necessary and appropriate," Kelly White, founder and CEO of RiskRecon, said in an email. Public websites are just that — meant for the public.
"In the world of cloud computing, this is an increasing source of problems," said White.
The lag between public cloud use and container security is significant enough for developers to bypass security teams. Ninety-six percent of IT managers have concerns about their current cloud security, according to a Sophos report. Two-thirds of data breaches were caused by security misconfigurations and the rest were caused by stolen cloud credentials.
For unsafe network services, "the only thing standing between a hacker and the data in the MySQL database is an authentication credential or a database vulnerability. So much for defense-in-depth," the report said.
Remote work in the pandemic distributed the workforce and data access points. "IT operations in the face of COVID[-19] is making all things in cybersecurity more challenging," said White. "Organizations are going to make mistakes" or "take on risks that result in higher rates of breaches."
Organizations are deploying more off-premise solutions, and they're doing it fast, which is "a recipe for error," said White.
Basic internet security hygiene is decades-old, and "identifying unsafe network services exposed on an internet-facing system is very simple," said White. Free or commercial tools including Nmap, Qualys or Rapid7 find unsafe services, and they're "well understood by practitioners."
However, gaps in security programs — lack of personnel, expertise or resources — amplify the risk of an unsafe service going undetected. "Organizations still have shadow IT and forgotten IT problems ... leaving systems ungoverned by the cybersecurity program," said White.