Updated on January 8, 2018 by UpGuard
Information technology has changed the way people do business. For better, it has brought speed, scale, and functionality to all aspects of commerce and communication. For worse, it has brought the risks of data exposure, breach, and outage. The damage that can be done to a business through its technology is known as cyber risk, and with the increasing consequences of such incidents, managing cyber risk, especially among third parties, is fast becoming a critical aspect of any organization. The specialized nature of cyber risk requires the translation of technical details into business terms. Security ratings and cyber risk assessments serve this purpose, much like a credit score does for assessing the risk of a loan. But the methodologies employed by solutions in this space vary greatly, as do their results.
Cyber risk and cybersecurity are complex problems that have hindered digital transformation since it began. The way this risk is measured determines the context in which the results are viewed; this is why transparency is so important to security ratings-- the scope of risk being assessed must be known. Some solutions use what is known as “IP reputation” to assess risk. This method monitors malware requests from honeypots and other sensors and tries to assign them to organizations based on registered IP address space. UpGuard follows “cyber resilience,” which measures configurations, best practices, and other knowable aspects of an organization’s digital operations and security.
As mentioned above, the primary way data is collected for IP reputation based solutions is that honeypots, or purposefully insecure systems, are established in order to collect data about the attacks they suffer, including their originating IP addresses. As anyone who has ever put an insecure system on the internet knows, attacks are happening all the time, and honeypots catch some portion of those attacks simply by being vulnerable. However, the type of malware that attacks randomly enough to hit honeypots only account for a fraction of the total malware in circulation. Ransomware and other business-critical malware is usually highly targeted, using inroads like phishing and vulnerable systems to set up in an enterprise where there is valuable data-- not just any computer on the internet.
Once the originating IP address of an attack has been recorded, it is then checked against a mapping of owned IP address space on the internet. Essentially, every IP address lives in a space that is associated with an owner. While some companies may only use a few internet-facing IP addresses, some own tens of thousands or more. However, accurate IP attribution has been an ongoing problem for many reasons.
IP reputation methodology depends on attribution to correctly associate behavior with a specific entity. But unless that attribution is precise, and reflects the actual threats posed to a company by a vendor, the entire risk analysis becomes subject to error, and worse, blindspots in which risk is perceived as being managed, but is not fully understood.
Single Threat Vector
Even if malware activity attribution were a reliable method, it would still only look at a single threat among the many that face any digital business. Although malware does play a large role in the cyberattack chain, the ways by which it enters an organization span several different vectors. Furthermore, cyberattacks only account for a small portion of data exposure and service outage incidents-- the number one cause is misconfiguration, something an IP reputation based risk analysis will never catch.
Instead of using IP address ownership to determine the boundaries of an organization, UpGuard looks instead at their internet footprint. By analyzing all of the internet-facing vectors by which cyber risk enters an organization, UpGuard measures the organizations themselves, their posture against both attacks and misconfigurations. Gathering every internet domain and website that belongs to a company, UpGuard analyzes each one for relevant risk factors, security best practices, and proper configuration, aggregating them into CSTAR, an industry-standard security rating that reflects the actual real-time posture of an organization against cyber risk.
“Hacking” is responsible for surprisingly few incidents of data exposure and service outages. Mostly, these are caused by misconfigurations-- either unmodified insecure default settings, or configurations that inadvertently expose resources to unnecessary risk. An example of a misconfiguration would be storing sensitive data in the cloud and accidentally making it public to the internet. UpGuard can scan for misconfigurations present in the internet footprint, because best practices dictate how servers and services should be hardened to prevent attack. By comparing vendor posture against these guidelines, UpGuard quickly identifies problems-- and offers guidance on remediation.
All Vectors for Exposure and Breach
UpGuard organizes its assessment by threat, so companies know exactly which vectors are most dangerous for each of their vendors. This includes common attacks like:
Threats not covered by IP reputation
As vendors employ cloud technologies, the data they store there becomes at risk for exposure to the entire internet. Forget hacking; a misconfigured bucket can leak an entire database without needing so much as a password to get it. The UpGuard Cyber Risk team has researched and documented these breaches to show just how vulnerable information is when not properly handled. No matter how good your IP reputation, a misconfigured cloud server or storage instance can put your entire business at risk.
Vulnerable and Unpatched Software
Nearly all successful attacks exploit vulnerabilities that have been known about and had patches available for an entire year. Failure to update internet-facing applications is a leading indicator of cyber risk. This vector is untouched by IP reputation methods, because it is a weakness in the legitimate infrastructure, not a rogue agent placed there by some malicious third party. If organizations wish to prioritize cyber risk management by criticality of threat, unpatched and misconfigured software should be item number one.
Some form of social engineering typically precedes a cyber attack. Phishing, or the highly focused spearphishing, use fraudulent emails to trick people into sending information, documents, and even money to a criminal third party. But phishing emails can be caught and quarantined before they even reach a human being if the proper defenses are in place and configured. UpGuard checks every domain for each vendor to ensure these mechanisms are in place and functioning.
Deciding which methodology best suits your needs depends on the objectives of your cyber risk initiative. IP reputation can sometimes detect malware signals that are attributed to the address space owned by a company, but UpGuard’s cyber resilience strategy looks at each company’s internet footprint and examines all of the vectors by which data exposure and service outage occur, including misconfigurations, a leading cause of successful attacks, and one undetected by IP reputation tactics.
UpGuard’s CyberRisk offers the most thorough external assessment of a vendor’s internet footprint. Every company is assigned a CSTAR security rating for top level visibility into third party risk. Unlike IP reputation solutions, UpGuard also provides the necessary technical details for each risk detected, as well as remediation and compensating control information. CyberRisk also automates the questionnaire process, so that vendor attestations can be delivered, stored, and organized automatically, alongside their assessments and rating. UpGuard manages the entire third party cyber risk process, end-to-end.
Misconfigurations are an internal problem that emanate from within the IT infrastructure of any enterprise; no hacker is necessary for massive damage to occur to digital systems and stored data. And the problem is pervasive, with Gartner estimating anywhere from 70% to 99% of data breaches result not from external, concerted attacks, but from internal misconfiguration of the affected IT systems.