Critical Vulnerabilities and Hidden Risks: How to Protect Your Company from Cyber Attacks

The Importance of Technical Risk Assessments for Corporate Security

Every year, CrowdStrike Professional Services performs hundreds of Technical Risk Assessments (TRAs) across various industries, geographies, and corporate environments. These in-depth and practical reviews examine how security controls perform in production, evaluating the threats they detect and block, but especially those they allow through. Risk exposure is constantly evolving as organizations adopt new technologies and adversaries accelerate and explore new tactics. Thanks to direct visibility into numerous environments, the CrowdStrike team can identify recurring patterns that put companies at risk, such as misconfigurations, visibility gaps, and temporary exceptions that map to techniques used by modern adversaries to move quickly and bypass detection.

By analyzing these real-world results, it has emerged that the highest risk often lies in the "silent" spaces - unmanaged assets and overlooked credential paths - where adversaries operate with mechanical speed. Addressing these systemic issues requires an approach that goes beyond tool acquisition and focuses on operational discipline. The assessments reveal that enterprise security is not just about having the right technology, but gaining clarity on where risk resides. By closing visibility gaps in critical areas, organizations can shift from a reactive posture to a proactive approach that disrupts the adversary's path.

Main Issues Fueling Cyber Risk

Based on a broad sample of CrowdStrike Technical Risk Assessments, this article examines these patterns and highlights the most common issues that silently fuel cyber risk. For security teams looking to reduce their risk profile, these are the areas to focus on to strengthen their security posture.

Shadow AI: The Governance Gap Organizations Can't Ignore

Employees, developers, and SaaS platforms are implementing AI tools faster than security and policy teams can respond. From browser extensions powered by LLM to unapproved AI agents running in production, AI is spreading outside authorized channels, and security teams often lack visibility. Unlike traditional shadow IT, shadow AI doesn't require installation, hides within existing tools, and can silently route sensitive data to external models. In a recent CrowdStrike services assessment, the client had no approved agentic AI in use, but had it running in production. In another case, the approved inventory was off by 40%. The risks are significant: uncontrolled data exposure, interrupted access permissions, unmonitored autonomous agent behavior, and no clear accountability.

The External Attack Surface: An Often Underestimated Risk Area

The external attack surface refers to everything an adversary can see and access from the Internet before entering the target network. This includes public websites and applications, domains and subdomains, IP addresses and Internet-exposed services, VPN gateways, remote access portals and management interfaces, as well as cloud and SaaS services reachable directly from the Internet. In technical risk assessments, it is consistently found that this "external footprint" is larger and more exposed than security teams realize. Shadow IT, forgotten projects, third-party integrations, and misconfigured cloud services expand the attack surface in ways that rarely appear in internal inventories.

Common issues identified include unknown "orphaned" assets, outdated software and configurations on public systems, overly permissive access to administration portals, APIs, and management interfaces, and inconsistent controls between on-premise and cloud, or between different business units. Each single gap represents an opportunity for an adversary to gain initial access with minimal effort.

Applications and Vulnerabilities: The Challenge of Effective Management

When examining applications and vulnerabilities during a technical risk assessment, a lack of tools is rarely found. Most organizations have endpoint detection and response (EDR), vulnerability scanners, and patch management platforms. The most common challenge is the gap between problem discovery and resolution within a defined time window. The most common pattern is the presence of critical vulnerabilities on unmanaged assets. The assessments reveal that enterprise security is not just about having the right technology, but gaining clarity on where risk resides. By closing visibility gaps in critical areas, organizations can shift from a reactive posture to a proactive approach that disrupts the adversary's path.

Impact of Remote Work and Identity Hygiene

The rise of remote work has introduced new challenges for identity security. During risk assessments, a lack of adequate monitoring of access from home networks often emerges. Many employees use home Wi-Fi networks that lack enterprise security controls, making these endpoints particularly vulnerable to credential stuffing and brute-force attempts. This "background noise" of legitimate access activity can mask real compromise attempts, making it harder for security teams to detect malicious access in time.

Kerberoasting and Kerberos Configurations

Kerberos, the key authentication protocol for many organizations, is often misconfigured. Common issues include service accounts with weak passwords, legacy encryption settings, and excessive privileges. Kerberoasting remains a preferred attack technique, where aggressors request service tickets for accounts with elevated privileges, decrypt them offline, and gain privileged access. Misconfigured Kerberos combined with weak service account passwords significantly lower the threshold for a successful compromise.

Patch Management: SLAs and Priorities

Patch management is often treated as an "all-or-nothing" effort rather than a measured commitment. Many organizations lack clear, risk-based service level agreements (SLAs) for vulnerability remediation. Even when they exist, they are often not tracked and enforced in practice. The recommendation is to establish explicit SLAs for vulnerability remediation based on severity, exploitability, and exposure. For example, Internet-reachable and business-critical assets should be subject to the tightest resolution times.

Discovery and Prioritization of the External Attack Perimeter

During risk assessments, the use of Falcon Exposure Management allows for the discovery and mapping of Internet-exposed assets, correlating them with vulnerabilities, misconfigurations, and threat information. This approach provides a comprehensive view of the external attack perimeter. Consultants enumerate the organization's external footprint, prioritize exposures based on their exploitability and attacker behavior, and validate risk with practical analysis. The result is an evidence-based roadmap to reduce the risk of breaches starting from publicly exposed assets.

Recommendations for Managing Shadow AI

To address the problem of shadow AI, it is essential to form an cross-functional committee that aligns business needs with security requirements. Implementing solutions like Falcon AI Detection and Response (AIDR) and Falcon Exposure Management can help identify unauthorized AI adoption and inventory tools such as AI agents, IDE extensions, and MCP servers. It is important to publish clear rules and a list of approved models and interfaces, define who can develop and implement AI agents, and establish how their behavior is logged and terminated. Training staff on the risks of data exposure and compliance of unauthorized AI tools is equally crucial.

Inconsistencies in Security Controls

A recurring problem is the inconsistency of security controls between on-premise and cloud environments, or between different business units. This lack of uniformity creates gaps that attackers can exploit to gain initial access. Technical risk assessments often reveal that even within the same organization, different divisions apply different security standards, creating weak points that can be easily exploited.