Tenable®, Inc. has conducted research exposing critical cyber hygiene issues within India’s largest organizations. The research sheds light on the geographic distribution of assets and unveils alarming problems related to outdated software, weak encryption practices, and misconfigurations.
On June 28, 2023, an examination of the external attack surface of 25 of India’s organizations with the largest market caps [as listed on Companies Market Cap] was conducted. The findings revealed that the average organization possesses over 12,000 internet-facing assets which are susceptible to potential exploitation, resulting in a total of more than 300,000 assets across the study group. These findings illustrate the immense scale of the cybersecurity architecture that organizations must secure to protect sensitive data and critical systems.
Looking at the geographical distribution of these assets, the research findings highlight that over 50% of internet-facing assets are located in the United States. Meanwhile, 7% of these assets can be found in India, with an additional 3% dispersed across Finland, the Netherlands, and the British Virgin Islands. This distribution has significant implications from a data protection standpoint, particularly considering the Indian government’s increased emphasis on local data privacy regulations.
“Indian organizations are rapidly embracing cloud migration and emerging technologies, which, in turn, leads to a rise in cyber risk due to the growing number of internet-facing assets. This poses a significant threat to organizations, regardless of their criticality,” explained Kartik Shahani, Country Manager at Tenable India. “In India, we face a dual challenge of limited visibility into the unknown unknowns and poor cyber hygiene. It’s crucial for organizations to understand that cybercriminals do not wait around. They are constantly monitoring attack surface maps to identify the most vulnerable points of entry. Indian organizations must prioritize achieving visibility and protecting their internet-facing assets to effectively mitigate cyber risk.”
Weak SSL/TLS encryption
One striking observation is that out of the total number of assets for all companies tracked, organizations had nearly 80,000 assets that still support TLS 1.0 [a security protocol first defined in 1999 for establishing encrypted channels over computer networks] that was disabled by Microsoft in September [2022]. This is just one example demonstrating how challenging it’s become for organizations with large internet footprints to identify and update outdated technology.
Outdated version of Log4J still present
The examination revealed that out of the total assets for all companies tracked, nearly 40,000 are still susceptible to the Log4J vulnerability. This alarming finding highlights a significant concern, as known vulnerabilities like Log4J are the primary cause of a majority of cyberattacks. By relying on outdated versions of Log4J, organizations are leaving themselves exposed to potential cybersecurity breaches.
Misconfiguration increases external exposure
Another concerning finding was that over 8,000 assets out of the total, initially intended for internal use, have been inadvertently exposed and are now accessible externally. Not hardening these internal assets presents a substantial risk to organizations, as it effectively opens the door for malicious actors to target sensitive information and critical systems.
API vulnerabilities amplify risk
Furthermore, the identification of more than 4,000 APIs out of the total number of assets among organizations’ digital infrastructure poses a substantial risk to their security and operational integrity. APIs serve as crucial connectors between software applications, facilitating seamless data exchange. However, inadequate authentication, insufficient input validation, weak access controls and vulnerabilities in dependencies within API v3 implementations create a vulnerable attack surface. Such weaknesses can be exploited by malicious actors to gain unauthorized access, compromise data integrity, and launch devastating cyber attacks.
“An alarming reality is that only a handful of organizations possess a comprehensive understanding of their complete digital footprint. One of the most prevalent and perilous security oversights is the inadvertent misconfiguration of cloud and other public-facing resources, making them vulnerable to any attacker on the Internet,” highlighted Nathan Wenzler, chief cybersecurity strategist at Tenable.
“These ‘unknown unknowns’ make it crucial for every business or government entity to have the ability to discover and remediate previously unknown attack vectors and other points of vulnerability. By proactively preventing attacks rather than merely managing them after they take place, organizations can effectively safeguard their digital infrastructure.”