runZero Research Explores Unexpected Exposures in Enterprise Infrastructure

IT and OT are converging, increasing the attack surface of organizations and requiring new techniques to discover and manage assets. OT systems are high-value targets for attackers and are consistently exposed to untrusted networks. Over 7% of the ICS assets sampled are exposed to ‌the public internet. These assets include programmable logic controllers, power meters, and protocol gateways, all of which play an important role in critical infrastructure.

Outlier devices are often the most at-risk. The runZero outlier score, defined as how unique an asset is within the context of its neighbors, strongly correlates with the risk ranking reported by leading vulnerability scanners. This correlation works both ways, with low outlier scores consistently mapping to lower overall risk. Defenders can leverage outlier analysis to quickly identify the most vulnerable systems within their environments.

Security teams often have limited to no visibility into more than half of the physical devices on their networks. Network “dark matter”— devices that are often unmanaged by IT and rarely updated  — comprises 19% of enterprise networks, while a further 45% of these devices offer limited management capabilities. 

End-of-life hardware and operating systems continue to drag down security postures. Although Windows 2012 R2 and Ubuntu 14.04 are the most common EoL operating systems observed, obsolete versions of VMware ESXi and out-of-support network devices are serious concerns.

Printers and network-attached storage devices often allow traffic forwarding between networks, breaking network segmentation controls. runZero identified unexpected IP-forwarding behavior across dozens of device types, ranging from smart TVs to robotic vacuum cleaners. 

Zero-day attacks at the network edge have surged and suppliers are struggling to provide timely patches. In the first four months of 2024, runZero published 23 Rapid Responses

covering 60+ distinct vulnerabilities.

92% of systems running the Secure Shell (SSH) service allow password-based authentication, exposing these systems to brute force and credential stuffing attacks. In addition to insecure authentication methods, thousands of systems rely on hardcoded cryptographic keys that are shared between unrelated environments, negating many of the security benefits of the protocol.

Nearly 16% of all Transport Layer Security (TLS) implementations rely on an end-of-life version of OpenSSL, placing these systems at risk of future compromise. This finding was uncovered through runZero’s unique fingerprinting method that reliably identifies services by behavior, not configuration, to determine versioning.

Remote Desktop Protocol (RDP) security has improved on Windows with the introduction of Network Layer Authentication (NLA) support, but this has not carried over to Linux-based RDP implementations like xrdp, and many Windows systems have kept older, more vulnerable configurations.

Server Message Block (SMB) v1 is still enabled on 13% of Windows systems. Although SMBv1 is disabled by default on newer versions of Windows, there are still millions of legacy systems using this outdated protocol.