Press "Enter" to skip to content

Organisations rely on legacy security protocol dating back to 1999

A new study conducted by Tenable has illuminated for the first time ever the immense challenge organisations face identifying and protecting their internet-facing assets.

An inventory of the external attack surface of 22 of the UK’s largest organisations [as listed by the FTSE top 50] were examined on Friday, October 29, 2022. The results show how complex, geographically dispersed, and hybrid these environments have become, and illustrate the sheer scale of the cybersecurity architecture that needs to be secured.

Of the companies examined, most have a sprawling expanse of internet-facing assets, with an average of 76,600 to identify and protect. One organisation alone has over 500,000 such assets. One striking observation is that 100% of organisations had web-based assets that still support TLS 1.0 [a security protocol first defined in 1999 for establishing encrypted channels over computer networks] that was disabled by Microsoft in September [2022]. Over half (12 companies) had instances of SSL 2.0 – the predecessor to TLS. In addition to the risk of eavesdropping on sensitive internet traffic by adversaries, this is just one example demonstrating how challenging it’s become for organisations with large internet footprints to identify and update outdated technology.

“The infrastructure that underpins organisations today is only vaguely recognisable from three years ago, especially pre-COVID. Internet-facing assets are not just commonplace, but essential for organisations in the modern business world,” said Jeremiah Grossman, Security Strategist, Tenable. “The flipside of this is that any one of these assets is a potential entry point for an adversary into the organisation. Threat actors are probing these openings, looking for any single one that is left insecure, so they climb through. As defenders, security professionals need to know what assets they’re protecting in order to secure themselves.”