Exposed, Misconfigured and Forgotten: The Triple Threat of External Risk (and how to fix with Cloudflare and IONIX)
If popular TV and movies are to be believed, hackers break into organizations from dark rooms using flashy zero-day exploits (complete with some sort of showy animation), all while techno music blares in the background, culminating in the oh-so-cool announce of “I’m in!”
This… is not reality. The unglamorous truth is that breaches usually stem from a series of small mistakes in unremarkable things: A system that was overlooked when implementing a new policy. A control configuration that was accidentally loosed. A service that was supposed to be decommissioned but was inadvertently left running.
Breaches stemming from these kinds of mistakes are especially frustrating. You had a control, you know how to properly configure it, and you know what systems to apply the control. But the messy complexity of people and process inside a large organization means mistakes are made, things slip through.
This is what keeps many security leaders up at night, and this is why I have found pairing the configuration and deployment with an external, continuous validation process so helpful. And it’s exactly what I’ve been helping Cloudflare and IONIX customers do for the last several months.
In this article
Cloudflare + IONIX: Continuous Control Validation
Cloudflare is already a powerful security control for web applications, blocking attacks with web application, ensuring proper TLS and certificate best practices, stopping automated bot and agents, and shielding properties from massive DDoS attacks.
But that messy complexity can undermine even the stoutest safeguard, allowing unprotected assets to be exposed, or configurations and policies to be loosed or misapplied, resulting in gaps attackers can exploit.
IONIX combats that by acting as an external validation layer, continuously scanning, validating, and ensuring that Cloudflare’s protections are correctly and completely.
When working with Fortune 500 companies on implementing and maintaining Cloudflare over the last few months, I’ve used a control validation framework built around four key principles:
- Most impactful assets go first, no assets left behind
- Validate secure and complete deployments
- Protect against drift and new threats
- Provide the fastest path to remediation
Step 1: Most impactful assets go first, no assets left behind
You can’t apply Cloudflare to systems you don’t know exist. From forgotten marketing sites to orphaned portals at acquired companies, publicly exposed assets often linger outside security’s line of sight. You start by using IONIX to conduct a comprehensive discovery of everything public-facing: websites, CMS instances, login portals, static documentation, and more. You also can use IONIX to understand what each asset is and how it connects to the business. You can also use IONIX to determine what exploitable issues exist in those public assets. You use all of this data to build a prioritize list of assets to onboard into Cloudflare, with the most important assets with the most impactful issues going first.
This is needed because in that messy complexity of organizations with thousands of public-facing sites, you cannot snap your fingers and onboard everything to Cloudflare at once. There are different DNS zones, different owners, and different business units. All this means prioritization is critical. The end goal is simple: make sure nothing that should be protected is overlooked.
Step 2: Validate Secure and Complete Deployments
Assuming you know all your assets, and have a plan to onboard them into Cloudflare, deployment mistakes are inevitable when operating at scale:
- Differences in how Cloudflare is set up from a DNS perspective can impact how protection can be applied.
- WAF rules loosened to work with certain apps can be mistakenly applied to other apps
- TLS settings to support older clients for a specific legacy application can be applied too broadly.
- Settings associated with a new application might be changed to make development or testing easier, and then not properly hardened once the application goes live.
I recommend that security organizations define specific policies or settings. For instance:
- Marketing CMS systems must sit behind Cloudflare with bot protection.
- Any portal with customer data must have WAF rules enabled.
- TLS settings must meet best practices
Then as Cloudflare is rolled out, IONIX is used to validate that these policies are being followed and flags any inconsistencies. This ensures that every crown jewel is protected properly, not just on paper, but in practice.
Step 3: Guard Against Drift and New Threats
Security isn’t static. Configurations that are perfect today may drift tomorrow. A partner may require support for outdated TLS protocols. A backup restore might reintroduce an old, insecure configuration. Or someone might disable a WAF rule to troubleshoot an issue and forget to re-enable it.
IONIX continuously checks for regressions, detecting if an origin server is suddenly accessible directly, if Cloudflare protections are disabled, or if settings have been weakened.
Then there are the threats that emerge out of nowhere, like the recent SharePoint zero-day. Because attackers move so quickly, companies need to know immediately: are all vulnerable assets protected behind Cloudflare, and if their current configuration actually protects them.
IONIX gives Cloudflare users confidence by using real-but-non-destructive payloads against public assets and ensuring their Cloudflare configuration is sufficient for new threats.
Step 4: The Fastest Path to Remediation
During these steps, you will find security issues and gaps which can be resolved with a proper Cloudflare configuration and deployment. Finding a problem is only half the battle. Fixing it quickly is what really counts. Too often, security teams understand a security vulnerability but struggle to explain to the non-security experts in IT or development or know how to configure Cloudflare to resolve it.
For example, while working with a major consumer goods company, we found a web application with an exposed settings file. Using IONIX we were able to:
- Explain what the problem was using language and terminology the developers could understand.
- Prove to the developers that the settings were really accessible remotely.
Even better, IONIX can dynamically re-write its remediation information to be Cloudflare-specific. Instead of just getting generic advice change file permissions, IONIX was provided step by step instructions on how to validate that all web traffic routes through Cloudflare, and how to add a WAF rule to block access to the settings file, with the exact syntax need for this specific issue on this specific domain!
This level of clarity bridges the gap between security and operations, ensuring fixes happen quickly and correctly.
The Security Ratchet
Cybersecurity isn’t just about deploying the right controls, it’s about ensuring they’re used consistently, monitored continuously, and adjusted as the environment evolves.
Cloudflare provides a world-class security perimeter. IONIX ensures that public attack surface is known, validated, and capable of evolving alongside new threats and organizational changes.
The net effect is IONIX and Cloudflare becomes a kind of security ratchet: Cloudflare provides the protection, and IONIX validates its efficacy from the outside, ensuring that you can only tighten down defenses, and never let them loosen.
Come see IONIX and Cloudflare in action at Cloudflare Connect booth 23, Oct 13-16 in Las Vegas. Can’t make it – sign up for a demo here.
