Exposed assets, in particular, assets exposed without proper configuration and management, are a huge issue, said Johannes Ullrich, dean of research at the SANS Institute.
Guidance ‘covers the basics’
“The data we collect at the Internet Storm Center shows that assets are scanned and discovered within minutes of being exposed,” he said in an email. “The top targets are exposed telnet and SSH servers with weak passwords, web-based admin consoles for various devices (cameras, firewalls, network storage devices), and remote access tools like [Windows] RDP.” This has become an even larger problem with so many applications being deployed in the cloud, he added, which does make it much more difficult to restrict access to them.
“The CISA guidance is making good points and covers the basics,” he said, “but the tricky part is to scale these efforts. Public search engines like Shodan and Censys are helpful [to infosec pros], but they should not replace regular scans from an external IP address.”