Organizations should fear misconfigurations more than vulnerabilities
Censys launched its State of the Internet Report, a holistic view into internet risks and organizations’ exposure to them.
Through careful examination of which ports, services, and software are most prevalent on the internet and the systems and regions where they run, the research team discovered that misconfigurations and exposures represent 88% of the risks and vulnerabilities across the internet.
- Misconfigurations – including unencrypted services, weak or missing security controls and self-signed certificates – make up roughly 60% of observed risks. When analyzing the risk profile of organizations across industries, missing common security headers accounted for the primary security error.
- Exposures of services, devices, and information represent 28% of observed risks. This includes everything from accidental database to device exposures.
- Critical vulnerabilities and advanced exploits only represent 12% of observed risks. When analyzing organizations by industry, the Computer and Information Technology industry had the widest spread of different risks, while Freight Shipment and Postal Services had the second widest.
Researchers also conducted a holistic assessment of the internet’s response to three major vulnerabilities – Log4j, GitLab and Confluence – to understand mitigation strategies based on how a vulnerability is perceived. From this analysis, Censys learned how the internet responds differently to vulnerability disclosures.
Three distinct types of behavior in response to vulnerability disclosures
- Near-immediate upgrading: Systems vulnerable to Log4j acted quickly based on the widespread coverage of the vulnerability. By March 2022, Censys observed only 36% of potential vulnerable services were left unpatched.
- Upgrading only after the vulnerability is being actively and widely exploited: While the GitLab vulnerability was being exploited, the remediation process acted slower than others until researchers discovered a botnet composed of thousands of compromised GitLab servers participating in DDoS campaigns.
- Near-immediate response by taking the vulnerable instance off the internet entirely: Rather than upgrading, users chose to remove assets entirely from the internet after Confluence’s vulnerability became public between June 2021 and March 2022.
The internet constantly evolves as new technologies emerge, vulnerabilities are discovered, and organizations expand their operations that interact with the internet. Security teams have the responsibility to protect their organizations’ digital assets and need proper visibility into the entire landscape to do so.
Although vulnerabilities often garner the bigger headlines, it’s undetected misconfigurations and exposures that create the most risk for an organization, making it important to regularly assess any new hosts or services that appear in your infrastructure. Regardless of vulnerability type, providing organizations with the visibility and tools needed to strengthen their security posture introduces a proactive, more vigilant approach to digital risk management.