It’s Shark Week, which means the unofficial peak of summer is upon us. Here at Censys, Shark Week also brings to mind the biggest predator in our own proverbial waters: hackers. Like sharks, hackers are bold, swift, and cunning. And when they strike, capable of serious damage. As with sharks off the coast of the Atlantic, hackers, too, have made a splash in the headlines this summer, reminding us that when it comes to predators, both sea and cyber, staying vigilant is a must.
Sometimes, however, organizations focus more on preventing sophisticated, yet less likely, celebrity attacks, and overlook the basic security gaps that hackers are more likely to exploit. Censys research sheds light on this point, finding that CVEs and advanced exploits, which often generate the most attention, only make up 12% of observed vulnerabilities. Misconfigurations and exposures, on the other hand, make up 88% percent of observed vulnerabilities.
The upside is that misconfigurations and exposures are largely within a security team’s control to manage, and they can be addressed in part by routine cybersecurity hygiene. To help prevent an “attack” this Shark Week and beyond, let’s revisit three cyber hygiene best practices.
1.Bring Shadow IT to the Surface
Using personal devices for work, forgetting to decommission developer sandboxes, independently spinning up third-party productivity apps … these are the kinds of Shadow IT activities that delight hackers and stress out security teams. And they’re exceedingly common in today’s workplace. More than 80% of workers surveyed have admitted to using SaaS applications that weren’t approved by IT. Because Shadow IT is unauthorized and unmonitored, it can be wrought with misconfigurations and exposures. This of course challenges security teams, who can’t fix what they don’t know about. That’s why basic security hygiene requires gaining full visibility into all of the assets that an attacker could breach, including those lurking in the shadows, unknown to IT. To gain this needed visibility, modern security organizations are leveraging exposure management. Exposure management solutions provide automated, continuous asset discovery and monitoring across the entirety of an attack surface, bringing Shadow IT to light and enabling security teams to jump on any misconfigurations and exposures these assets may harbor.
2. Be a Zero Trust “Chomp”-ian
Zero trust is a security framework that eliminates implied authorization to a network. Instead, validation is required each time access is requested. This includes those within the organization who need daily access to certain systems to perform their jobs. An example might be requiring your sales team to complete two-factor authentication when they want to log in to your company’s instance of Salesforce. By requiring this level of validation, organizations can better manage their risk of exposure. And if a bad actor does find their way into one part of your network, a zero trust framework makes it difficult for them to go any further. Commitment to zero trust also helps keep other best practices like eliminating default passwords front of mind for security teams and employees. Though many companies already adhere to a zero trust framework, it’s worth revisiting regularly to determine if any newly-adopted solutions are operating outside of the framework. You can read more about the origins of the zero trust framework here.
3. Get All Employees Aboard
The misconfigurations and exposures that leave companies vulnerable are often the result of human error (see Shadow IT above). Security teams may be in charge of preventing breaches, but to minimize their likelihood, teams rely on the entire organization to follow good cybersecurity best practices. Meaningful employee training should therefore be a pillar of any cybersecurity strategy. If it’s been a minute since your team has updated its approach to employee training, now is as good a time as any to revisit. Consider how to make training and awareness an ongoing effort (as in, more than a brief presentation during employee onboarding). Maybe your version of continuous training takes the form of a dedicated cybersecurity Slack channel or monthly IT newsletter that shares tips and reminders, in addition to an annual training session that all employees, no matter how long they’ve been at the company, partake in. Or maybe you pursue your own form of penetration testing to see how many employees are actually retaining what’s being taught. Whatever the approach, employee training should be prioritized as a critical piece of good security hygiene.
For our most recent research on misconfigurations and other vulnerabilities, check out our 2023 State of the Internet Report.