Internet Exposure Reduction Guidance

Many organizations unknowingly leave common vulnerabilities and weaknesses exposed to the internet, making them easy targets for exploitation.
Publish Date

Many organizations unknowingly leave common vulnerabilities and weaknesses exposed to the internet, making them easy targets for exploitation. Misconfigured systems, default credentials, and outdated software are often publicly accessible through internet-based search and discovery platforms. By following CISA’s Internet Exposure Reduction Guidance, organizations can proactively identify and remove these exposures, reducing their online footprint and strengthening their cybersecurity posture.

The range and number of internet-accessible assets—including industrial internet of things (IIoT), supervisory control and data acquisition systems (SCADA), industrial control systems (ICS), and remote access technologies—continues to grow. When left unsecured, these assets increase operational and security risks. CISA’s Internet Exposure Reduction guidance provides resources and recommendations to help organizations identify and mitigate these exposures.

Steps to Reduce Internet Exposure

  1. Assess Your Current Exposure. Begin by identifying which of your assets are accessible via the internet. Utilize tools and services (e.g., CISA’s Cyber Hygiene Vulnerability Scanning service as well as the Web-Based Tools for Identifying Internet-Exposed Assets below) that can scan for publicly exposed systems to gain visibility into your organization's online footprint.
  2. Evaluate Your Necessity of Exposure. Determine which assets need to be internet-accessible for operational purposes. For those that do not need to be internet accessible, implement measures to remove or restrict access. Review interdependencies to ensure that changes do not inadvertently disrupt essential services or operations.
  3. Mitigate Risks to Remaining Exposed Assets. Follow the following steps to protect any assets that must remain internet-accessible:
    1. Change default passwords and enforce strong authentication mechanisms.
    2. Ensure systems are up to date with the latest security patches.
    3. Utilize Virtual Private Networks (VPNs) to secure remote access.
    4. Implement multifactor authentication (MFA) where possible.
    5. Review the considerations in Evaluating and Mitigating Exposed Services below.
  4. Establish Routine Assessments. Regularly review and monitor your internet-accessible assets. As your organization's IT environment evolves, continuous assessments help maintain a secure posture and quickly identify new exposures. 

Web-Based Tools for Identifying Internet-Exposed Assets 

Utilize Specialized Search Platforms: Thingful, Censys.io, and Shodan are web-based search platforms designed to identify and manage internet-connected devices, including IoT/IIoT and industrial control systems. These tools support attack surface reduction activities by providing visibility into various internet-exposed assets. They integrate with vulnerability tools, logging aggregators, and other scanning systems, which facilitates their incorporation into an organization's infrastructure. Each platform offers unique capabilities for assessing and indexing IP addresses, parsing TLS certificates, and tracking domains to provide a comprehensive view of an organization's internet attack surface. 

Note: The inclusion of these tools in this guidance does not imply endorsement by CISA or the U.S. government.

  • Shodan:
    • Scans the internet for connected devices and pulls back banners of internet-connected devices.
    • Allows users to apply search filters to narrow results and target potentially vulnerable devices.
    • Finds potential exploits and default passwords.
  • Censys.io:
    • Identifies internet-connected assets, including IoT/IIoT and industrial control systems.
    • Supports ingestion formats such as WebUI, API, Raw Data, and Google BigQuery.
    • Provides extensibility into any cybersecurity ecosystem.
  • Thingful:
    • Provides information about categories of IoT data from around the world.
    • Mines data for verticals such as weather, energy, and telecommunications.
    • Offers an API for extensible use of real-time IoT data in applications like GIS, supply chain optimization, and manufacturing optimization.

Evaluating and Mitigating Exposed Services 

When assessing identified exposures, consider the following:

  • Necessity: Is the exposed system or service essential for operations?
  • Business Justification: What operational need requires this exposure?
  • Security Measures: Can you restrict access via VPNs or better secure it with multifactor authentication?
  • Maintenance: Is the system or service up to date with the latest security patches?

By systematically evaluating these factors, organizations can effectively reduce their internet exposure and enhance their cybersecurity posture. 

Resources 

CISA provides a range of resources and services to assist organizations in reducing their internet exposure:

  • Cyber Hygiene Services: Free vulnerability scanning to help identify and mitigate exposures.
  • Cybersecurity Advisors: Regional experts who can provide tailored guidance and assessments.
  • Stop Ransomware Guide: Comprehensive strategies to defend against ransomware threats.

For further assistance or to report incidents, contact CISA at Central@cisa.dhs.gov.