Assessing the Risk of Poorly Configured, Internet-Exposed Protocols

August 05, 2022 - In the Cybersecurity and Infrastructure Security Agency’s (CISA) “Shields Up” notice following Russia’s invasion of Ukraine, the agency recommended that organizations go back to basics by establishling secure passwords, patching vulnerabilities, and properly securing internet-exposed protocols to avoid exposing data.

In its latest report, inspired by CISA’s notice, cybersecurity company ExtraHop narrowed in on internet-exposed protocols and explored the risks of unsecured ports and protocols, providing tips for mitigating risk along the way.

ExtraHop conducted a survey of thousands of organizations across multiple sectors, including healthcare, and analyzed specific protocols (including older, unsupported versions) that were found active on networks. Researchers used the findings to benchmark cyber risk and readiness for a variety of industries.

It is important to note that internet-exposed protocols are not inherently bad, and some are public by design. ExtraHop noted that a small number of exposed devices and protocols are typically needed in order to maintain business functionality. However, poor configuration can open organizations up to security risks.

“Protocols are the communication mechanism of the internet, allowing different devices and services to talk to each other across networks,” the report explained.

READ MORE: Geisinger, Kaiser Permanente, 35 Others Impacted By Third-Party Vendor Data Breach

“Protocols are also a critical part of network security. Used properly, they can protect data and commands as they traverse a network. Used improperly, they can unintentionally expose data and systems to attackers, in some cases offering an opening for cybercriminals to insert their own malicious data and commands.”

Many protocols were developed long before ransomware and other cyberattack types were prominent.

“As a result, these protocols fail to provide the security controls baked into more modern protocols. Yet many of these old protocols remain in use, in some cases providing services that IT teams and end users consider essential or supporting legacy systems that the organization has yet to phase out,” the report noted.

If the devices using these protocols are configured correctly, they are not inherently risky. But too often, ports are left unsecured, and vulnerabilities are left unpatched, leading to security risks. The report described unsecured ports and protocols as the “doors and hallways” that attackers may use to explore vulnerable points in a target’s network. Knowing which protocols are running within your organization’s network is crucial to maintaining security.

Common Protocols and Their Risks

Protocols come in many different forms. There are file server protocols, directory protocols, database protocols, and remote control protocols, to name a few.

READ MORE: Undefined Roles, Responsibilities For Medical Device Security Heighten Risks

HTTP and HTTPs, FTP and sFTP, and SMTP and POP3 are common protocols that are exposed by design and enable communications across the internet, from web traffic to file transfers and email. 

“But even protocols designed to be exposed provide points of ingress for cyberattack. Take, for example, the exploitation of the Log4j vulnerability known as Log4Shell,” the report noted.

“In the hours following the disclosure of the vulnerability, many organizations saw a flood of intrusion attempts on port 80, commonly associated with HTTP. Within 48 hours, attackers began encrypting that traffic, attempting to exploit the vulnerability over port 443 (HTTPS) to better obscure their activity from security analysts.”

Other protocols include the domain name system (DNS) protocol, which maps IP addresses to human-readable domain names and can be manipulated by hackers for malicious purposes, and remote desktop protocol (RDP), which allows remote access to Microsoft servers.

The report detailed 12 common protocols and their risks. For example, researchers found the SMB protocol (a file server protocol) exposed to the public internet on 64 of 10,000 devices. The report recommended requiring SMB protocols to use encryption to bolster security.

READ MORE: Addressing Mobile Device Security Risks in Healthcare

In the case of Kerberos, a director protocol, researchers recommended that organizations ensure their Kerberos software is up-to-date and that administrator access is limited.

In the case of RDP, researchers recommended that organizations enforce group policies to limit RDP server access and configure RDP servers to require two-factor authentication and strong passwords to prevent brute force attacks.

“Each organization needs to assess the balance of risk versus reward, or how much cybersecurity exposure they can tolerate to allow for smooth business operation,” the report stressed.

Healthcare-Specific Data

ExtraHop analyzed the following protocols in healthcare, providing the percentage of organizations with internet-exposed protocols and the average number of public internet-exposed devices per 10,000:

• SMB – 51%, 7 Devices
• FTP – 51%, 0.4 Devices
• LDAP – 49%, 2 Devices
• Kerberos –28%, 0.4 Devices
• TDS – 44%, 0.4 Devices
• TNS – 16%, 0.1 Devices
• MySQL – 19%, 0.1 Devices
• SSH – 79%, 5 Devices
• ICA – 16%, 15 Devices
• RDP – 53%, 1 Device
• Telnet – 32%, 0.4 Devices

“Across the protocols evaluated, the total number of devices exposing these sensitive protocols to the internet was generally low,” the report explained.

“The real issue is about whether the exposed device is (1) necessary for the business and (2) properly secured. Unfortunately, the devices that are exposed tend to be servers and other core or critical resources. Cybercriminals often use these vulnerable devices as an entry point before pivoting throughout the network.”

Researchers recommended that each organization assess its use of network protocols, especially those exposed to the internet.

Additionally, organizations should maintain an inventory of software and hardware, stay up to date on vulnerability and patch management, invest in network analysis and threat detection tools, and use firewalls to protect exposed IT resources.