Industry-First Research From Tenable Calculates External Attack Surface of U.K.'s Largest Organisations
November 24, 2022
Study finds 100% of organisations still rely on a legacy security protocol dating back to 1999
A new study conducted by Tenable®, Inc., the Exposure Management company, has illuminated for the first time ever the immense challenge organisations face identifying and protecting their internet-facing assets. An inventory of the external attack surface of 22 of the U.K.’s largest organisations1 [as listed by the FTSE top 50] were examined on Friday, October 29, 2022. The results show how complex, geographically dispersed, and hybrid these environments have become, and illustrate the sheer scale of the cybersecurity architecture that needs to be secured.
The study revealed that, of the companies examined, most have a sprawling expanse of internet-facing assets2, with an average of 76,600 to identify and protect. One organisation alone has over 500,000 such assets. One striking observation is that 100% of organisations had web-based assets that still support TLS 1.0 [a security protocol first defined in 1999 for establishing encrypted channels over computer networks] that was disabled by Microsoft in September . Over half (12 companies) had instances of SSL 2.0 - the predecessor to TLS. In addition to the risk of eavesdropping on sensitive internet traffic by adversaries, this is just one example demonstrating how challenging it’s become for organisations with large internet footprints to identify and update outdated technology.
- Total Internet-facing Assets: Average 76,600 / Median 50,024
- Assets Supporting TLS 1.0: Average 3,892 / Median 1,259
- Assets Supporting TLS 1.1: Average 3,965 / Median 1,321
- Assets Supporting SSLv2: Average 2 / Median 55
- Assets Supporting SSLv3: Average 0 / Median 25
- Number of Countries: Average 51 / Median 45
- Assets Hosted in the Cloud (Amazon, Microsoft, Google): Average 23% / Median 20%
- Cloud-Asset Marketshare by Vendor: Amazon (Average 80% / Median 82%), Microsoft (Average 10% / Median 6%), Google (Average 10% / Median 9%),
- Assets Located or Delivered though the U.K.: Average 11% / Median 5%
- Assets Located or Delivered though the U.S.: Average 61% / Median 64%
The vast array of internet-facing assets is supported by a complex cloud infrastructure built upon public services, further complicating each organisation’s attack surface2 and making it more difficult to identify, monitor and protect. Amongst the multinational organisations studied, Tenable found that an average 23% of their infrastructure is public cloud3 based. Of that 23%, Amazon Web Services claims the lion’s share, accounting for an average 80% of assets hosted in the cloud, with Microsoft and Google sharing the remainder. This leaves organisations reliant on a third-party to apply the same stringent controls to protect their data and systems.
Looking at the geographical disbursement of these organisations, the study identified that on average, their assets are located in or delivered from 51 different countries. In fact, only 11% of assets are located in or delivered through the UK, with 61% through the US. This has implications from a data protection perspective. GDPR for example, governs any data on EU citizens, even if it travels outside the European Union.
“The infrastructure that underpins organisations today is only vaguely recognisable from three years ago, especially pre-COVID. Internet-facing assets are not just commonplace, but essential for organisations in the modern business world,” said Jeremiah Grossman, Security Strategist, Tenable. “The flipside of this is that any one of these assets is a potential entry point for an adversary into the organisation. Threat actors are probing these openings, looking for any single one that is left insecure so they climb through. As defenders, security professionals need to know what assets they’re protecting in order to secure themselves.”
For further information visit www.tenable.com.
Tenable® is the Exposure Management company. Approximately 40,000 organizations around the globe rely on Tenable to understand and reduce cyber risk. As the creator of Nessus®, Tenable extended its expertise in vulnerabilities to deliver the world’s first platform to see and secure any digital asset on any computing platform. Tenable customers include approximately 60 percent of the Fortune 500, approximately 40 percent of the Global 2000, and large government agencies. Learn more at tenable.com.
Notes to Editors:
- Tenable examined 22 companies, chosen at random from the FTSE Top 50*
- In the context of this alert:
- An asset is a domain name, subdomain, or IP addresses and/or combination thereof of a device connected to the Internet or internal network. An asset may include, but not limited to web servers, name servers, IoT devices, network printers, etc. Example: foo.tld, bar.foo.tld, x.x.x.xs.
- The Attack Surface is from the network perspective of an adversary, the complete asset inventory of an organisation including all actively listening services (open ports) on each asset.
Stay up to date!
Subscribe to our email alerts for new press releases.