Proprietary Research from Tenable Calculates External Attack Surface of Japan’s Largest Organizations

New research conducted by Tenable®, Inc., the Exposure Management company, has unveiled a number of cyber hygiene issues such as outdated software, weak encryption and misconfigurations present within the largest Japanese organizations.

On June 28, 2023, an examination of the external attack surface of 25 of Japan's organizations with the largest market caps [as listed on Companies Market Cap] was conducted. The findings revealed that the average organization possesses over 4,800 internet-facing assets which are susceptible to potential exploitation, resulting in a total of more than 120,000 assets across the study group. These findings illustrate the immense scale of the cybersecurity architecture that organizations must secure to protect sensitive data and critical systems.

"Amidst the ongoing push for cloud migration in Japan, we are witnessing a steady rise in the number of internet-facing assets across industries and organizations of all sizes," said Naoya Kishima, country manager for Tenable Japan. "Every single internet-facing asset, regardless of its criticality, serves as a potential entry point for exploitation within an organization. Attackers diligently monitor the attack surface maps of their targeted organizations, specifically searching for vulnerabilities in assets that organizations may not even be aware of."

Weak SSL/TLS encryption 
One striking observation is that out of the total number of assets for all companies tracked, organizations had over 7,000 assets that still support TLS 1.0 [a security protocol first defined in 1999 for establishing encrypted channels over computer networks] that was disabled by Microsoft in September [2022]. This is just one example demonstrating how challenging it’s become for organizations with large internet footprints to identify and update outdated technology.

Outdated version of Log4J still present
The examination revealed that out of the total assets for all companies tracked, over 4,000 are still susceptible to the Log4J vulnerability. This alarming finding highlights a significant concern, as known vulnerabilities like Log4J are the primary cause of a majority of cyberattacks. By relying on outdated versions of Log4J, organizations are leaving themselves exposed to potential cybersecurity breaches. 

Misconfiguration increases external exposure
Another concerning finding was that over 12,000 assets out of the total, initially intended for internal use, have been inadvertently exposed and are now accessible externally. Not hardening these internal assets presents a substantial risk to organizations, as it effectively opens the door for malicious actors to target sensitive information and critical systems. 

API vulnerabilities amplify risk
Furthermore, the identification of more than 6,000 APIs out of the total number of assets among organizations' digital infrastructure poses a substantial risk to their security and operational integrity. APIs serve as crucial connectors between software applications, facilitating seamless data exchange. However, inadequate authentication, insufficient input validation, weak access controls and vulnerabilities in dependencies within API implementations create a vulnerable attack surface. Such weaknesses can be exploited by malicious actors to gain unauthorized access, compromise data integrity, and launch devastating cyber attacks. 

"An alarming reality is that only a handful of organizations possess a comprehensive understanding of their complete digital footprint. One of the most prevalent and perilous security oversights is the inadvertent misconfiguration of cloud and other public-facing resources, making them vulnerable to any attacker on the Internet," highlighted Nathan Wenzler, chief cybersecurity strategist at Tenable. "These ‘unknown unknowns’ make it crucial for every business or government entity to have the ability to discover and remediate previously unknown attack vectors and other points of vulnerability. By proactively preventing attacks rather than merely managing them after they take place, organizations can effectively safeguard their digital infrastructure."

About Tenable
Tenable® is the Exposure Management company. Aproximadamente 43 mil organizações no mundo todo contam com a Tenable para entender e reduzir o risco cibernético.Como criadora do Nessus®, a Tenable ampliou sua experiência em vulnerabilidades para oferecer a primeira plataforma do mundo para verificar e proteger qualquer ativo digital em qualquer plataforma de computação. Entre os clientes da Tenable, estão 60% das empresas Fortune 500, 40% das empresas Global 2000 e órgãos governamentais de grande porte. Learn more at tenable.com.

Notes to Editors:

1. Tenable examined the top 25 companies,  listed on https://companiesmarketcap.com/japan/largest-companies-in-japan-by-market-cap/
    
2. In the context of this alert:

• An asset is a domain name, subdomain, or IP addresses and/or combination thereof of a device connected to the Internet or internal network. An asset may include, but not limited to web servers, name servers, IoT devices, network printers, etc. Example: foo.tld, bar.foo.tld, x.x.x.xs.
• The Attack Surface is from the network perspective of an adversary, the complete asset inventory of an organization including all actively listening services (open ports) on each asset.
   

Media contact:
Tenable PR
[email protected]