The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued Internet Exposure Reduction Guidance to help organizations address overlooked risks. CISA warns that misconfigured systems, default credentials, and outdated software are often publicly accessible via internet search and discovery tools, leaving critical vulnerabilities exposed and easily exploited by attackers. The document provides resources and recommendations to help organizations identify and mitigate these exposures.
By following CISA’s Internet Exposure Reduction Guidance, organizations can proactively identify and remove these exposures, reducing their online footprint and strengthening their cybersecurity posture.
Recognizing that the range and number of internet-accessible assets, including industrial internet of things (IIoT), supervisory control and data acquisition systems (SCADA), industrial control systems (ICS), and remote access technologies, continue to grow, CISA highlighted that when left unsecured, these assets increase operational and security risks.
The Internet Exposure Reduction guidance outlines four key steps organizations can follow to reduce online exposure.
First, conduct an assessment of current exposure, including identifying which assets are accessible through the internet. Scanning tools and services such as CISA’s Cyber Hygiene Vulnerability Scanning and other web-based platforms can be used to map the organization’s internet-facing footprint.
Next, evaluate the necessity of that exposure. It is important to determine which systems must remain internet-accessible for operational purposes. For those that do not require external access, measures should be taken to remove or restrict connectivity. Any changes should be reviewed in the context of system interdependencies to avoid unintended disruptions to essential services.
For assets that must stay internet-facing, risk mitigation becomes critical. This includes replacing default passwords with stronger credentials, applying the latest security patches, securing remote access with virtual private networks, and enabling multifactor authentication. Additional considerations for evaluating and mitigating exposed services are detailed in the guidance.
Lastly, establish a routine for ongoing assessments. Regular reviews of internet-facing assets help maintain a strong security posture and ensure timely detection of new exposures as the IT environment evolves.
CISA has outlined several web-based tools that can assist organizations in identifying internet-exposed assets. These tools are designed to improve visibility into connected devices and reduce the overall attack surface. While the agency mentions these platforms for informational purposes only, it does not imply endorsement by the U.S. government.
Specialized search platforms such as Thingful, Censys.io, and Shodan help detect and manage internet-connected devices, including IoT, IIoT, and industrial control systems. These platforms support threat detection efforts by integrating with vulnerability management tools, logging aggregators, and network scanning systems. Each one offers distinct features for assessing and indexing IP addresses, analyzing TLS certificates, and monitoring domain activity, giving security teams a clearer picture of their organization’s internet-facing assets.
Shodan scans the internet to detect connected devices and collects information from their banners. It includes features to apply advanced search filters, identify devices with default credentials, and locate known vulnerabilities.
Censys.io discovers internet-connected assets across various categories, including industrial systems. It supports multiple data formats, including WebUI, API access, raw data exports, and Google BigQuery integration. Its design allows for easy integration into broader cybersecurity workflows.
Thingful focuses on categorizing global IoT data and delivers insights relevant to sectors like energy, telecommunications, and weather. Its API enables the use of real-time IoT data in operational systems such as GIS platforms, supply chain tools, and manufacturing environments.
When assessing identified exposures, organizations must evaluate several key factors. First, they need to determine whether the exposed system or service is essential for operations. If it is not critical, exposure should be limited or eliminated. Second, they should assess the business justification for the exposure by identifying the specific operational need that requires internet accessibility.
Thirdly, the organization must consider whether access to the exposed system can be restricted through more secure methods, such as the use of virtual private networks or implementing multifactor authentication. Finally, the maintenance status of the system must be reviewed to ensure it is up to date with the latest security patches, reducing the risk of exploitation through known vulnerabilities.
By systematically evaluating these factors, organizations can effectively reduce their internet exposure and enhance their cybersecurity posture.
