This fall, Censys launched its inaugural State of the Internet Report: an in-depth, first-of-its-kind research effort that leveraged Censys’s Internet-wide scanning data to compile a comprehensive view of the Internet.
The report examines the Internet through several lenses, including: 1.) a global perspective of the Internet as a whole 2.) the Internet’s response to major vulnerabilities 3.) the attack surfaces of organizations.
We pursued this effort for a couple of reasons. We’re researchers at heart here at Censys, and we wanted to use our research to start a conversation that would engage others. Additionally (and importantly) we wanted to provide further insight into attack surfaces, which refers to the sprawl of organizations’ public-facing assets on the Internet. Without meaningful visibility into the attack surface, protecting digital systems can become a guessing game for organizations.
Let’s review some of the report’s key findings.
The Internet as a whole
Censys researchers first took a look at popular services, the standard and non-standard ports where they run, and the autonomous systems on which they’re hosted. Some of our notable observations included:
- Of the most common SSH ciphers observed, while 75% run on their assigned port, 25% do not.
- The majority of FTP ciphers are running on their assigned port (84%) but many others run on 40029, including a fair amount from Alibaba — which might point to regional differences in configuration practices.
- Despite what many may assume, Amazon only makes up 6% of hosts on the Internet.
- The majority of the Internet’s hosts and services don’t run on a cloud provider. This means that Internet exposure isn’t just a cloud problem.
An important takeaway from the team’s findings: security through obscurity (such as by running services on non-standard ports) isn’t a valid strategy for protecting your assets. It won’t keep threat hunters from finding them.
Emily Austin, Censys research scientist and one of the report’s primary authors, talks more about the findings in the following webinar excerpts.
The attack surface of the Internet
The team next looked at the attack surface of the Internet by running a random sample of 2 million hosts through the risk engine that powers our Attack Surface Management Platform.
In doing so, we found that misconfigurations were more widely-occurring than vulnerabilities, even though vulnerabilities often receive more of the attention in the news. Misconfigurations–including unencrypted services, weak or missing security controls (Content Security Policy (CSP), etc.), and self-signed certificates–make up roughly 60% of the risks observed across the Internet. Exposures of services, devices, and information represent 28% of observed risks in our data, and vulnerabilities represent 12% of risks observed in 2022.
The Internet’s response to major vulnerabilities
When major vulnerabilities are disclosed, we see varying mitigation strategies–often including no mitigation at all (i.e., vulnerable services still exposed to the Internet). Our research observed three distinct types of behavior in response to vulnerability disclosures: near-immediate upgrading, upgrading only after the vulnerability is being actively and widely exploited, and near-immediate response in the form of upgrading or taking the vulnerable instance offline entirely.
The attack surface of organizations
Lastly, using the Censys Attack Surface Management Platform, we generated attack surfaces for 37 randomly-selected large organizations. When examining the attack surfaces of these organizations, we discovered that they have, on average, 44 different domain registrars and presence in 17 different hosting providers, including cloud, datacenter, and on-premises equipment. That’s a lot of spread. While multi-provider strategies are certainly common among organizations, they can be a challenge for security and IT teams who may only have awareness or visibility into a portion of these providers. In other words, it’s difficult to secure assets if you don’t know you own them.
To learn more about our findings, check out our full 2022 State of the Internet Report or watch our on-demand webinar series.
Download the Report
Watch the Webinar