“If I Can't See it it Doesn't Exist” - The blind spots in Your IT Security Risk Assessment

Posted by Koby Meir on April 21, 2020 1:29:31 PM EDT
Find me on:

Cyber security risk assessment is a fundamental building block in any cyber security program. It enables you to identify all the potential risks and security issues that your organization might face and ensure the right policies and tools are put in place to improve your overall security posture.

A risk assessment process typically includes the following activities:

  1. Identifying all the threat and vulnerabilities that are relevant to your organization
  2. Assessing the likelihood that these risks will materialize
  3. Determining the adverse impact these risks may have on your organization
  4. Analyzing their likelihood and potential impact to determining the severity of these risks
  5. Deciding whether these risks needs to be mitigated or not

There are serious gaps in the way risk assessments are carried out today. These gaps leave organizations with many blind spots and a variety of unknown exposures and risks. Existing practices and solutions used for assessing and identifying your security risks tend to fall short in two main respects: firstly, the information used in the assessments and secondly the frequency with which data used for these assessments is collected. Let's examine each one of these shortfallings in more detail.

#1: Information Used for Assessing Risks is Limited 

Best practices for the risk assessment process emphasize the need to thoroughly map all your assets, identify and document potential vulnerabilities as well as internal and external threats. The visibility you get is only as good as the sources of information that you are using. 

Common sources of information used as inputs in the assessment process come from IT asset management platforms, incident reports, security logs together with information collected through vulnerability assessments, pen testing initiatives and security rating service. All these traditional risk assessments solutions are built to discover, assess and exploit vulnerabilities in your known assets.  But what about the assets of which you are unaware? 

The shift to the cloud and democratization of IT are leading to increase in unknown risks and exposures in organizations’ network perimeter. Here are a few examples of such unknown assets:

  • New cloud environments opened by your subsidiary
  • Undocumented staging environments unsecurely deployed by your dev team
  • Unmanaged legacy systems that belong to a company you acquired
  • A QA website that your supplier created and is fully accessible to any user online

Asset Exposure and Risk Heatmap Reposify

None of the commonly used sources of information in your risk assessment will detect or monitor such assets. Even risk rating services, which provide some level of external visibility, will not cover all of your internet-facing assets. The data and methods used by security ratings service providers for calculating your risk score are opaque and the accuracy of asset and risks attribution is unclear.

#2: Data Collection Frequency

Security risk assessments are typically done on an annual basis or around periods during which major changes in software or hardware infrastructure are made. A lot of the information used for these annual risk assessments comes from the above mentioned targeted IT security audits that take place more frequently but not continuously. 

The reality is that most security teams today rely on a snapshot that represents their risks at a specific point in time. When you consider the frequent changes in your internet-facing asset, such reliance on a specific moment in time is flat out dangerous. 

Your network perimeter is in constant flux. On average, somewhere between 5%- 20% of your IP addresses are fixed, the rest are ephemeral (this will vary based on the organization type and size). Here are two examples of the changes detected by Reposify’s Attack Surface Management platform for IP addresses over time. In both of these examples you can see the frequent changes in IP ownership, security issues and associated risks severity.

Risk Assessment Reposify 2

Risk Assessment Reposify 1

These examples demonstrate how important it is to continuously monitor your external attack surface and have an up-to-date overview of the risks to which you are exposed. Without it, unwanted exposures and unknown risks remain in the dark for very long time periods and could have severe business implications.

IBM and Ponemon Institute’s 2019 Cost of a Data Breach Report shows that the mean time to identify a data breach was 206 days and the mean time to contain it was 73 days. 

If organizations had a way to stay on top of every exposure in their network perimeter, costly breaches could be significantly reduced. To truly identify and assess your organization's cyber security risks, you need a solid ground truth which is complete, accurate and always up to date.

Here are 6 ways in which Reposify’s External Attack Surface Solution can help you transform the way you discover and monitor your cyber security risks.

#1: Cover all your network environments

Visibility of all your assets is crucial.  Get complete visibility of all your exposures across on premise, all cloud environments as well as your supply chain.

#2: Never miss an important asset:

Gain a complete view of all your known and unknown risks. Go beyond publicly registered IPs and domain data which relies mainly on DNS and WHOIS.

 #3: Interpret the risk with the right business context

Cyber risk isn't detached from business risk. See your security issues prioritized for your business and easily adjust the weights on the score based on your organizational priorities. 

#4: Data Freshness:

We don't just claim our data is fresh. We index the entire Internet continuously and show you exactly what information was updated and when. With continuous monitoring you’ll be able to see every change in the network in near real time so you can stay on top of exposures and ahead of attackers.

#5: Data Transparency:

Understand the data behind your organization's risk score, see how it was calculated and what assets it includes. The discovery path and attribution process for each asset is completely transparent.

#6:  Leverage Actionable Insights 

Not just a score. Save precious time by getting a complete asset inventory, prioritized risks and detailed remediation steps to quickly resolve the security issues identified and eliminate the risks.

 

Get your personalized demo to discover all your exposed assets and your security posture.

Request A Demo

 

Topics: "IT Security Audits", "Attack Surface Management", "Security Risk Assessment"