Information technology has changed the way people do business. For better, it has brought speed, scale, and functionality to all aspects of commerce and communication. For worse, it has brought the risks of data exposure, breach, and outage. The damage that can be done to a business through its technology is known as cyber risk, and with the increasing consequences of such incidents, managing cyber risk, especially among third parties, is fast becoming a critical aspect of any organization.
The specialized nature of cyber risk requires the translation of technical details into business terms. Security ratings and cyber risk assessments serve this purpose, much like a credit score does for assessing the risk of a loan. But the methodologies employed by solutions in this space vary greatly, as do their results.
Cyber risk and cybersecurity are complex problems that have hindered digital transformation since it began. The way this risk is measured determines the context in which the results are viewed; this is why transparency is so important to security ratings, the scope of risk being assessed must be known. Some solutions use what is known as “IP reputation” to assess risk.
This method monitors malware requests from honeypots and other sensors and tries to assign them to organizations based on registered IP address space. UpGuard follows “cyber resilience,” which measures configurations, best practices, and other knowable aspects of an organization’s digital operations and security.
As mentioned above, the primary way data is collected for IP reputation based solutions is that honeypots, or purposefully insecure systems, are established in order to collect data about the attacks they suffer, including their originating IP addresses. As anyone who has ever put an insecure system on the internet knows, attacks are happening all the time, and honeypots catch some portion of those attacks simply by being vulnerable.
However, the type of malware that attacks randomly enough to hit honeypots only account for a fraction of the total malware in circulation. Ransomware like WannaCry and other business-critical malware is usually highly targeted, using inroads like phishing and vulnerable systems to set up in an enterprise where there is valuable data-- not just any computer on the internet.
Once the originating IP address of an attack has been recorded, it is then checked against a mapping of owned IP address space on the internet. Essentially, every IP address lives in a space that is associated with an owner. While some companies may only use a few internet-facing IP addresses, some own tens of thousands or more. However, accurate IP attribution has been an ongoing problem for many reasons.
- Public Networks - Many companies offer guest wi-fi, computer labs, community access, and other services which allow unvetted computers to access the internet. However, these public networks are restricted from accessing the company’s internal network and the behavior of such users does not reflect the company’s practices or security.
- Misdirection - Attacks often spoof their source, or travel through a number of different connections before they reach an end target.
- Defunct and Repurposed Address Space - The ownership of IP address space is based on registrations that must be renewed every so often. When registrations change, address space previously owned by one entity may be used by a third party before ownership is updated on other sites.
- Large Networks and Granularity - At larger scales, IP attribution becomes nearly meaningless, as a parent corporation may own millions of public IP addresses, which are distributed through a complex network of otherwise separate organizations. Likewise, small and medium businesses who share address space with an ISP or vendor are extremely difficult to pinpoint.
IP reputation methodology depends on attribution to correctly associate behavior with a specific entity. But unless that attribution is precise, and reflects the actual threats posed to a company by a vendor, the entire risk analysis becomes subject to error, and worse, blindspots in which risk is perceived as being managed, but is not fully understood.
Single Threat Vector
Even if malware activity attribution were a reliable method, it would still only look at a single threat among the many that face any digital business. Although malware does play a large role in the cyberattack chain, the ways by which it enters an organization span several different attack vectors. Furthermore, cyberattacks only account for a small portion of data exposure and service outage incidents-- the number one cause is misconfiguration, something an IP reputation based risk analysis will never catch.
Instead of using IP address ownership to determine the boundaries of an organization, UpGuard looks instead at their internet footprint. By analyzing all of the internet-facing vectors by which cyber risk enters an organization, UpGuard measures the organizations themselves, their posture against both attacks and misconfigurations.
Gathering every internet domain and website that belongs to a company, UpGuard analyzes each one for relevant risk factors, security best practices, and proper configuration, aggregating them into CSTAR, an industry-standard security rating that reflects the actual real-time posture of an organization against cyber risk.
“Hacking” is responsible for surprisingly few incidents of data exposure and service outages. Mostly, these are caused by misconfigurations-- either unmodified insecure default settings, or configurations that inadvertently expose resources to unnecessary risk. An example of a misconfiguration would be storing sensitive data in the cloud and accidentally making it public to the internet.
UpGuard can scan for misconfigurations present in the internet footprint, because best practices dictate how servers and services should be hardened to prevent attack. By comparing vendor posture against these guidelines, UpGuard quickly identifies problems-- and offers guidance on remediation.
All Vectors for Exposure and Breach
UpGuard organizes its assessment by threat, so companies know exactly which vectors are most dangerous for each of their vendors. This includes common attacks like:
- Man-in-the-Middle - UpGuard assesses encryption mechanisms and configurations to understand how well a vendor protects their customers from data interception.
- Phishing - Targeted emails can trick people into bypassing their own defenses and leaking data or sending funds. UpGuard examines email practices to determine if a vendor has taken steps to mitigate the risk of phishing.
- Vulnerable Ports - The largest ransomware attacks in recent memory, WannaCry and Petya, both relied on an exposed Microsoft SMB port to infect systems. UpGuard checks ports on every vendor site for dangerous attack inroads.
- Outdated and Unpatched Software - UpGuard looks for software advertised by the vendor’s sites. Attackers can find easy exploits for old and unpatched software.
- Insider Threats - Unhealthy corporate culture increases the risk of both insider malfeasance and operational sloppiness. Both impact your data and services. UpGuard measures company satisfaction and CEO approval so that unhealthy cultures can be flagged up front.
- Blacklists - UpGuard does include the very best of IP reputation lists, by checking each site against Google’s malware blacklists, ensuring that if a vendor’s websites have had previous reputation issues, customers are aware.
Threats not covered by IP reputation
As vendors employ cloud technologies, the data they store there becomes at risk for exposure to the entire internet. Forget hacking; a misconfigured bucket can leak an entire database without needing so much as a password to get it. The UpGuard Cyber Risk team has researched and documented these breaches to show just how vulnerable information is when not properly handled. No matter how good your IP reputation, a misconfigured cloud server or storage instance can put your entire business at risk.
Vulnerable and Unpatched Software
Nearly all successful attacks exploit vulnerabilities that have been known about and had patches available for an entire year. Failure to update internet-facing applications is a leading indicator of cyber risk. This vector is untouched by IP reputation methods, because it is a weakness in the legitimate infrastructure, not a rogue agent placed there by some malicious third party. If organizations wish to prioritize cyber risk management by criticality of threat, unpatched and misconfigured software should be item number one.
Some form of social engineering typically precedes a cyber attack. Phishing, or the highly focused spearphishing, use fraudulent emails to trick people into sending information, documents, and even money to a criminal third party. But phishing emails can be caught and quarantined before they even reach a human being if the proper defenses are in place and configured. UpGuard checks every domain for each vendor to ensure these mechanisms are in place and functioning.
Deciding which methodology best suits your needs depends on the objectives of your cyber risk initiative. IP reputation can sometimes detect malware signals that are attributed to the address space owned by a company, but UpGuard’s cyber resilience strategy looks at each company’s internet footprint and examines all of the vectors by which data exposure and service outage occur, including misconfigurations, a leading cause of successful attacks, and one undetected by IP reputation tactics.
UpGuard’s VendorRisk offers the most thorough external assessment of a vendor’s internet footprint. Every company is assigned a Cyber Security Rating for top level visibility into third party risk. Unlike IP reputation solutions, UpGuard also provides the necessary technical details for each risk detected, as well as remediation and compensating control information. VendorRisk also automates the questionnaire process, so that vendor attestations can be delivered, stored, and organized automatically, alongside their assessments and rating. UpGuard manages the entire third party cyber risk process, end-to-end.