Contact us
Request demo →
Contact us
German website
search
close

Open Directories: A Peek Into Our Research

by Sebastiaan Bosman Blog 24 Nov 2021

In our previous blog, we explained what open directories are and how they can result in a data leak. As mentioned there, we conducted research into the risks of open directories ourselves, to see the extent of the problem. We’ll go into the method and preliminary results of that research here, while leaving the most telling examples and conclusions for our webinar on Wednesday 1 December.


The Method

For the research, we used a combination of Shodan and our own Attack Surface Management (ASM) platform. Shodan is used as a search engine for internet-connected devices, practically in the broadest sense of the term. Our ASM platform automatically detects and maps the digital assets of an organisation, by looking from the outside-in. All assets are scanned for digital risks and scored accordingly, helping IT professionals prioritise the most pressing vulnerabilities in their systems.

Our main goal was to research the extent of open directories and the risk they pose, and analyse them for misconfigurations and exposed confidential data. Naturally, upholding the confidentiality of (exposed) data was a priority throughout the entire research.

We split the process into smaller parts:

  1. Check for exposure of open directories;
  2. Collect and process data;
  3. Analyse the data;
  4. Correlate the findings.

 

The Results

Geographic differences

Overall, we found 475,537 open directories during the two-month research period. As each one of those directories holds a number of folders and files, the total number of exposed files reaches well over the 10 million.

Naturally, results varied geographically depending on internet use. In our research, the US had the most detected open directories: 171,587 compared to 39,447 from Germany, the runner-up in the list. After that, though, results in the top 10 did not vary as much anymore, with an average of 17,132 detected open directories from countries ranging from Canada to Japan. Those are still a lot of individual files vulnerable to data leaks. We will cover some of the most remarkable findings from different countries in more detail during the webinar.

Data dumps

We also detected various file types in the open directory data dumps. There were .zip files, as well as .sql, .tar, .gz, .md, .backup, and more. These data dumps are massive, with some of the compressed folders holding over 30GB of data.

example of data dump

 

What to expect from the webinar

Next to extensive data dumps, we were able to detect other types of data such as leftover files and exports. Our Security Analyst Soufian El Yadmani will go over these types of findings and the different types of critical data they hold.

After examining the different kinds of data leaks and establishing the level of risk that open directories pose, we will conclude our webinar with some tips and tricks. How can you prevent similar data leaks at your organisation? Our CISO Vincent Thiele will share his insights and best practices.

Click here to register for the webinar:

Register for the webinar >>

Open directories: our research findings

In our previous blogs to this open directory series, we talked about what open directories are and why they pose a risk, and how we set up our own research into the extent of the issue. That also featured a sneak peek into the results. Now that we have presented the findings in our webinar, this article will cover the statistics and most striking examples. And most importantly: what are our conclusions and tips to make your own directories data leak free?

read more

Open Directories: A Peek Into Our Research

In our previous blog, we explained what open directories are and how they can result in a data leak. As mentioned there, we conducted research into the risks of open directories ourselves, to see the extent of the problem. We’ll go into the method and preliminary results of that research here, while leaving the most telling examples and conclusions for our webinar on Wednesday 1 December.

read more

Editorial: 6 steps to achieving zero shadow IT

Shadow IT has long been a problem for organisations. Formal IT is routed through the IT department, where it’s approved, purchased, set up, and, importantly, supported and maintained. Shadow IT falls outside this process, and is normally split into two categories: / Systems that the IT department doesn’t know about. / Systems the IT department knows about but needs to keep running as they are integral to business operations. The second category is the real Shadow IT and the biggest problem for businesses. So how can you protect your business from the perils of shadow IT? Here are Pieter's six steps.

read more

Do you have a question?

Our experts have the answers

Contact us