This document provides an analysis of the attack surface for 19 major healthcare organizations based on data collected by Bit Discovery from public sources on the internet. It includes statistics on each organization's total assets, domain names, cloud assets, use of content delivery networks, certificate authorities, expired certificates, geographic distribution, private IP addresses, WordPress vulnerabilities, and recommendations for building a security program around mapping the attack surface.
3. •CEO, Bit Discovery
•20 years in Information Security
•Founder of WhiteHat Security
•Black Belt in Brazilian Jiu-Jitsu
JEREMIAH
GROSSMAN
4. ASSET
ATTACK SURFACE
From the network perspective of an adversary, the
complete asset inventory of an organization including all
actively listening services (open ports) on each asset.
• a domain name, subdomain, or IP addresses and/or
combination thereof, for a device connected to the Internet
or internal network.
• (an asset) may include, but not limited to, web servers,
name servers, IoT devices, or network printers.
5. •Shadow Asset: The specific asset, as defined by a
hostname/IP-address, that’s unknown or uncontrolled by
the organization.
•Shadow Service: Unknown or uncontrolled services (i.e.,
open ports) that are actively listening on an asset.
•Shadow Software: Unknown or uncontrolled software
stack information (i.e., list of installed software and
versions) of a listening service on an asset.
SHADOWS WITHIN
SHADOW-IT
10. •Collect a list all registered IP-ranges and domain names:
Most organizations will not have a ready up-to-date list.
•Find and scan all subdomains: Assets located on-premise,
in the cloud, hosted applications, labelled under of
subsidiaries, physically located across distributed data
centers, and across non-contiguous IP-ranges.
•Collect all meta-data for every asset: software stack,
version info, TLS cert info, programming language, open
ports, IP geo-location, hosting provider, CDN, etc.
•Maintain an up-to-date attack surface map: The asset data
for most organizations change between 1-5% monthly.
THE ATTACK SURFACE
12. Bit Discovery 2020
INTERNET
“COPY” OF THE
• Generated by Bit Discovery and 400 data sources.
• WHOIS databases, domain names, ASN, ports,
service banners, technology stack, website index
page(s), full TLS certificate info, email addresses,
password dumps, etc.
• Each asset has potentially 115 unique data points.
• Each data point updated daily-to-monthly.
• Hundreds of snapshots collected over 5 years.
Largest Data-Set
Of It’s Kind
*missing ~30% of the Internet*
4.5 BILLION DNS
ENTRIES
200+
INTERNET
SNAPSHOTS
515
DATA SOURCES
115
DATA COLUMNS
150
YEARS OF
CPU TIME
14. The total number of Internet-connected assets.
TOTAL ASSETS
SolutionHealth
Parkland Health
Fairmont Behavioral
Ascension Health
Tenet Healthcare
Children's Hospital Colorado
Tahoe Forest
Effingham Health
Trinity Health
SBH Health
Tulsa Bone and Joint
Vibra Healthcare
Community Health
Granville Health
Atrium Health
Call 4 Health
CommonSpirit Health
LifePoint health
Providence Health
0 10,000 20,000 30,000 40,000
2,839
237
39,956
38
1,752
18
36,639
479
25
22
44
5,293
77
80
22,972
1,010
2,271
795
172
15. The total number of registered domain names.
DOMAIN NAMES
SolutionHealth
Parkland Health
Fairmont Behavioral
Ascension Health
Tenet Healthcare
Children's Hospital Colorado
Tahoe Forest
Effingham Health
Trinity Health
SBH Health
Tulsa Bone and Joint
Vibra Healthcare
Community Health
Granville Health
Atrium Health
Call 4 Health
CommonSpirit Health
LifePoint health
Providence Health
0 350 700 1,050 1,400
93
3
1,400
2
53
1
444
44
1
2
3
312
5
2
8
37
128
30
6
16. The percentage of cloud-hosted assets including Amazon Web
Services, Microsoft Azure, Google App Engine, and others.
CLOUD ASSETS
SolutionHealth
Parkland Health
Fairmont Behavioral
Ascension Health
Tenet Healthcare
Children's Hospital Colorado
Tahoe Forest
Effingham Health
Trinity Health
SBH Health
Tulsa Bone and Joint
Vibra Healthcare
Community Health
Granville Health
Atrium Health
Call 4 Health
CommonSpirit Health
LifePoint health
Providence Health
0 13 25 38 50
14.76
19.41
26.66
7.89
5.31
11.11
20.70
11.69
0.00
0.00
0.00
46.91
0.00
0.00
0.06
1.19
6.16
3.52
1.74
17. The percentage of Internet-accessible assets served by a well-known
Content Delivery Network including Akamai, Cloudflare, and Fastly.
CDN ASSETS
SolutionHealth
Parkland Health
Fairmont Behavioral
Ascension Health
Tenet Healthcare
Children's Hospital Colorado
Tahoe Forest
Effingham Health
Trinity Health
SBH Health
Tulsa Bone and Joint
Vibra Healthcare
Community Health
Granville Health
Atrium Health
Call 4 Health
CommonSpirit Health
LifePoint health
Providence Health
0 8 15 23 30
0
0
3
24
0
0
0
0
24
0
0
0
0
0
0
4
1
0
0
18. The number of unique Certificate Authorities seen across the Internet-
accessible assets.
CERTIFICATE AUTHORITIES
SolutionHealth
Parkland Health
Fairmont Behavioral
Ascension Health
Tenet Healthcare
Children's Hospital Colorado
Tahoe Forest
Effingham Health
Trinity Health
SBH Health
Tulsa Bone and Joint
Vibra Healthcare
Community Health
Granville Health
Atrium Health
Call 4 Health
CommonSpirit Health
LifePoint health
Providence Health
0 10 20 30 40
22
4
39
3
18
2
26
12
1
2
2
37
3
6
5
10
29
9
5
19. The number of expired TLS Certificates seen across the Internet-
accessible assets.
EXPIRED TLS CERTS
SolutionHealth
Parkland Health
Fairmont Behavioral
Ascension Health
Tenet Healthcare
Children's Hospital Colorado
Tahoe Forest
Effingham Health
Trinity Health
SBH Health
Tulsa Bone and Joint
Vibra Healthcare
Community Health
Granville Health
Atrium Health
Call 4 Health
CommonSpirit Health
LifePoint health
Providence Health
0 50 100 150 200
77
3
110
0
16
0
110
2
0
0
0
196
0
0
0
21
90
9
5
20. The number of countries hosting Internet-accessible assets.
COUNTRIES
SolutionHealth
Parkland Health
Fairmont Behavioral
Ascension Health
Tenet Healthcare
Children's Hospital Colorado
Tahoe Forest
Effingham Health
Trinity Health
SBH Health
Tulsa Bone and Joint
Vibra Healthcare
Community Health
Granville Health
Atrium Health
Call 4 Health
CommonSpirit Health
LifePoint health
Providence Health
0 4 7 11 14
4
6
14
1
5
1
12
6
2
1
1
8
1
1
3
4
9
3
2
21. The number of Internet-connected assets where the hostname resolves
to non-route-able RFC-1918 internal IP-addresses.
PRIVATE IP-SPACE
SolutionHealth
Parkland Health
Fairmont Behavioral
Ascension Health
Tenet Healthcare
Children's Hospital Colorado
Tahoe Forest
Effingham Health
Trinity Health
SBH Health
Tulsa Bone and Joint
Vibra Healthcare
Community Health
Granville Health
Atrium Health
Call 4 Health
CommonSpirit Health
LifePoint health
Providence Health
0 8 15 23 30
10
0
8
0
2
0
1
0
0
0
0
1
0
0
0
27
8
0
0
22. Extremely popular free and open-source CMS. Wordpress assets
scanned with WPScan, which includes vulnerabilities in plug-ins.
WORDPRESS VULNS
SolutionHealth
Parkland Health
Fairmont Behavioral
Ascension Health
Tenet Healthcare
Children's Hospital Colorado
Tahoe Forest
Effingham Health
Trinity Health
SBH Health
Tulsa Bone and Joint
Vibra Healthcare
Community Health
Granville Health
Atrium Health
Call 4 Health
CommonSpirit Health
LifePoint health
Providence Health
0 45 90 135 180
21
0
172
0
0
0
65
0
0
0
57
0
0
0
0
1
0
0
0
24. Every
security
program
must begin
with an
attack
surface map.
Jeremiah Grossman
CEO, Bit Discovery
• Attack Surface Map
• Multi-factor Authentication
• Email Security
• Routine Backups
• Wire Transfer Verification
• Password Management