runZero Research Explores Unexpected Exposures in Enterprise Infrastructure

As exploitation reaches light speed, rapid, comprehensive discovery and Cyber Asset Attack Surface Management (CAASM) are more critical than ever

SAN FRANCISCO--()--At the RSA Conference today, runZero announced the inaugural edition of the runZero Research Report, the first in a series of publications that explore the state of asset security across global enterprises. As a leading provider of Cyber Asset Attack Surface Management (CAASM), this report leverages runZero’s unique perspective across hundreds of enterprise networks, including internal infrastructure, internet-facing assets, and cloud environments.

“Our research reveals alarming gaps and unexpected trends in enterprise infrastructure, including the decay of network segmentation, persistent challenges in attack surface management, and the increasing volume of dark matter on modern networks,” said HD Moore, founder and CEO. “runZero was built on the principle that applied research makes for better asset discovery, and that better asset discovery is the foundation of the modern exposure management organizations need to successfully defend against these challenges.”

Key findings include:

  • IT and OT are converging, increasing the attack surface of organizations and requiring new techniques to discover and manage assets. OT systems are high-value targets for attackers and are consistently exposed to untrusted networks. Over 7% of the ICS assets sampled are exposed to the public internet. These assets include programmable logic controllers, power meters, and protocol gateways, all of which play an important role in critical infrastructure.
  • Outlier devices are often the most at-risk. The runZero outlier score, defined as how unique an asset is within the context of its neighbors, strongly correlates with the risk ranking reported by leading vulnerability scanners. This correlation works both ways, with low outlier scores consistently mapping to lower overall risk. Defenders can leverage outlier analysis to quickly identify the most vulnerable systems within their environments.
  • Security teams often have limited to no visibility into more than half of the physical devices on their networks. Network “dark matter”— devices that are often unmanaged by IT and rarely updated — comprises 19% of enterprise networks, while a further 45% of these devices offer limited management capabilities.
  • End-of-life hardware and operating systems continue to drag down security postures. Although Windows 2012 R2 and Ubuntu 14.04 are the most common EoL operating systems observed, obsolete versions of VMware ESXi and out-of-support network devices are serious concerns.
  • Printers and network-attached storage devices often allow traffic forwarding between networks, breaking network segmentation controls. runZero identified unexpected IP-forwarding behavior across dozens of device types, ranging from smart TVs to robotic vacuum cleaners.
  • Zero-day attacks at the network edge have surged and suppliers are struggling to provide timely patches. In the first four months of 2024, runZero published 23 Rapid Responses covering 60+ distinct vulnerabilities.
  • 92% of systems running the Secure Shell (SSH) service allow password-based authentication, exposing these systems to brute force and credential stuffing attacks. In addition to insecure authentication methods, thousands of systems rely on hardcoded cryptographic keys that are shared between unrelated environments, negating many of the security benefits of the protocol.
  • Nearly 16% of all Transport Layer Security (TLS) implementations rely on an end-of-life version of OpenSSL, placing these systems at risk of future compromise. This finding was uncovered through runZero’s unique fingerprinting method that reliably identifies services by behavior, not configuration, to determine versioning.
  • Remote Desktop Protocol (RDP) security has improved on Windows with the introduction of Network Layer Authentication (NLA) support, but this has not carried over to Linux-based RDP implementations like xrdp, and many Windows systems have kept older, more vulnerable configurations.
  • Server Message Block (SMB) v1 is still enabled on 13% of Windows systems. Although SMBv1 is disabled by default on newer versions of Windows, there are still millions of legacy systems using this outdated protocol.

runZero’s research is focused on identifying at-risk devices through precise fingerprinting and fast outlier analysis. This report also describes runZero’s research process, the fingerprinting techniques created, and the practical results of these efforts.

Additional Resources

  • Explore the runZero website
  • Start a free trial
  • Download the runZero Research Report
  • Check out additional research from the runZero team
  • Register for the live report launch event at RSA on May 8th
  • Register for the virtual launch, a special edition of runZero Hour, on May 15th

About runZero

runZero delivers the fastest, most complete security visibility possible, providing organizations the ultimate foundation for successfully managing risk and exposure. Rated number one on Gartner Peer Insights, their leading cyber asset attack surface management (CAASM) platform starts delivering insights in literally minutes, discovering both managed and unmanaged devices across the full spectrum of IT, OT, IoT, cloud, mobile, and remote assets. Combining powerful, proprietary active scanning, passive discovery, and integrations enables runZero to deliver the most accurate, in-depth data and insights for organizations across all sectors. With a world-class NPS score of 82, runZero is trusted by more than 30,000 users to improve security visibility.


Susan Torrey for runZero


Susan Torrey for runZero