The modern attack surface is constantly evolving and growing. Just how much of an organization’s assets are exposed determines how many vulnerable entry points it has for attackers trying to infiltrate their systems. This means that reducing cyber exposure is crucial in reducing the cyber risks your organization is facing.
What constitutes a cyber exposure?
We talked about what an “exposure” is in cybersecurity when we were discussing the topic of CVEs, but let’s reiterate. An exposure is considered an error or misconfiguration that provides attackers indirect access to a system or a network, often leading to a data breach. But, when talking about cyber exposure in general, the definition might be wider, and goes beyond purely technical misconfiguration.
Cyber exposure is considered to be the worst-case scenario in the event of an organization suffering a cyber attack, and the probability of the attack occurring. It’s a discipline of managing and measuring risk associated with sensitive assets and data being compromised.
Here are three examples of what is considered an exposure that greatly increases the risk of unauthorized access:
- BYOB: The more devices that don’t have security controls accessing the organization’s network, the bigger the attack surface
- Supply chain: Being part of a supply chain greatly increases your exposure as there are now more players in the game, and more networks and systems with security measures you have no knowledge of
- Data and security policies not being continuously reviewed
Cyber exposure provides a framework with which organizations can have a better grasp over their assets and risks across all levels. Larger organizations have a larger network of digital assets, meaning that the attack surface and cyber exposure are much greater. With millions of digital assets there are challenges with the lack of visibility of those assets, and you can’t protect what you can’t see. But it isn’t enough to know only what assets belong to the organization—such limited knowledge would leave security teams without enough context for their detection, protection and remediation efforts. This leads us to prioritization, which is one of the pillars of any discipline handling risk.
Cyber exposure is not the same as a vulnerability. It actually depends on the exploitability of that vulnerability and the consequences measured in financial, reputational and operational losses that would follow. It’s important to understand which vulnerability is being currently exploited by hackers, which vulnerability poses the greatest risk to your critical assets, and what would be the damage done if that vulnerability is exploited. In this way, you can understand which exposure is the most important.
A breach on assets that don’t contain any critical financial, customer or intellectual data is not the same as cyber exposure, and shouldn’t be treated as one that would involve any piece of that critical data.
What you don’t know, will hurt you: The cyber exposure gap
While talking about cyber exposure, there is one term we should go over to aid in understanding the entire concept of exposure. As we mentioned above, one of the biggest challenges regarding cyber exposure is the lack of visibility. The cyber exposure gap represents the lack of visibility between what your security tools are showing you and critical areas of your attack surface, such as any vulnerability or misconfiguration not shown by currently used tools.
To reiterate—you can’t protect what you can’t see. And the solution here isn’t as simple as merely getting a single security tool that will provide you with 100% coverage and visibility. Chances are, a tool like that doesn’t exist.
What we need to do is shrink the gap. It doesn’t help that the gap, like the attack surface, is constantly growing. Each new connected device that isn’t seen by your security solution widens the gap. And to truly know and understand your cyber exposure, a solution that imports asset, vulnerability and threat data from multiple vendors—and provides context that gives you a needed overview of your attack surface—is crucial.
Cyber exposure lifecycle explained
As a discipline, cyber exposure has five stages:
These five stages of the cyber exposure life cycle are created to signify continuous effort over identifying assets, by detecting vulnerabilities in all assets, analyzing those vulnerabilities and prioritizing them based on the risk, fixing them by creating remediation processes, and at the end, measuring success to provide a report that will help inform better decisions.
Cyber exposure helps organizations achieve end-to-end visibility of all the assets they own and their exposure, and gives them the next step in how to protect what’s important. As we mentioned, cyber exposure goes beyond the pure technical definition of what an exposure is, and regards more of a strategic approach to handling security risk. It involves a collaboration of executives, IT teams, SOC teams and DevOps throughout the cycle.
Stay in the loop with the best infosec news, tips and tools
Follow us on Twitter to receive updates!Follow @SecurityTrails
And how can you prevent cyber exposure?
Besides employing solutions to prevent cyber exposure, there are effective and affordable ways you can reduce your organization’s exposure to security risks.
Visualization of all assets
If there’s one thing to highlight as the theme of today’s post, that would be the importance of the visibility of assets. While that might sound like a simple and “duh” tip, obtaining end-to-end visibility in modern organizations is a challenge across all industries. Using tools and solutions that provide you with full visibility into your internal and external attack surfaces and exposures is crucial in making better informed decisions when handling security risks.
Understand where your priorities should lie
Even smaller organizations will have numerous assets, and it won’t be possible to address each issue and vulnerability equally. You need to know what matters and focus on it, tackling the most critical exposures first. Remediation shouldn’t be prioritized only by the severity of assets’ vulnerabilities, but also by their value and probability of attack. This way, addressing and fixing exposures is prioritized in an all-encompassing way and makes sure that what matters the most is addressed as quickly as possible.
Measure effectiveness, rinse, and repeat
After every cyber exposure life cycle, there is that time when victories and losses both need to be counted and the effectiveness of cyber exposure techniques and tools is measured. With this, security teams get insights into what works and what doesn’t, whether all exposed assets have been properly flagged, if all possible risks were assessed to ensure proper remediation—and if something wasn’t how it should be, and how it can be identified and fixed in the next lifecycle. Handling cyber exposure is a continuous process that is performed, measured and repeated to ensure never-ending security against exposed assets.
Put the right security controls in place
On the more technical side of things, we have security controls to ensure that the odds of cyber exposure and the risk of network threats is decreased as much as possible. Most of these are parts of “standard” cybersecurity procedures but are still worth mentioning. No one is immune to exposure, as the cyber exposure risks of some large organizations show us below:
- Network perimeter defense: While we often hear that the perimeter is breached and is no longer enough to hold a network secure, having a web proxy, web filtering, and a firewall, among other measures, are foundational security controls to have in place.
- Password security: Having a password policy that entails regular password changes, no duplicate passwords for multiple accounts, required password complexity and a safe password manager is crucial to prevent account exposure.
- Patch management: Ensure all OS and software versions are updated to the latest versions and that all available patches for known vulnerabilities are applied.
- Anti-malware and antivirus: A good old antivirus solution is a staple and should be utilized to detect any known malicious code.
- Zero trust: Enforcing the least privilege and zero trust principles will mean that users will have access only to those parts of the network that are necessary for them to perform needed actions, giving them no permissions to sensitive parts of the systems they don’t require.
Cyber Exposure Index
The Cyber Exposure Index is the result of a research project that looks at the amount of cyber exposure within organizations in different markets. Three variables are usually examined:
- Disclosure of sensitive information
- Exposed credentials
- Cyber crime groups targeting the organization
Data is collected from publicly available sources and data breaches. Collected data is analyzed for signs of the three variables, and the cyber exposure score is based on the number of identified risks divided by the employee count. The score ranges from 0-300:
- 0 - Low exposure: No automatically identified exposure
- 0 - 100 - Medium exposure: A moderate number of exposed accounts and data
- 100-200 - High exposure: Organization owns a large number of exposed assets
- 200 - 300 - Very high exposure: Organization has probably been breached or is the target of cyber crime groups
- 300+ - Extreme exposure: Organization has already suffered a breach
On their website, you can search for different organizations in their database, from Australia, Singapore, Italy, Finland, Indonesia, Germany, Hong Kong, South Africa, United Kingdom, United States and Malaysia. There were quite a few 300+ cyber exposure scores when we searched for US companies from the information technology industry.
This is a great way to see how exposure is measured and what kind of risks it poses to organizations of all sizes. Among the worst contenders, you can find organizations involved in high-profile breaches and see the analysis of events and indicated risk.
You can also browse their general country statistics and see the average exposure score per country, global exposure per industry, and much more.
The CEI was first published in 2017 and now is updated a few times throughout the year. The project is said to still be in its early days, and once the database expands to include even more organizations, it will be a true treasure trove of cyber exposure and risk data.
There is another way to prevent cyber exposure
Let’s go back to the highlight of any discussion about cyber exposure: visibility. SurfaceBrowser™ gives you the ability to look up your organization and perform a full audit of all the exposed data you’re showing to the bad guys.
With SurfaceBrowser™, you’ll be able to browse all IP blocks that belong to your organization, locate associated domains, all existing subdomains, explore open ports, uncover rDNS records, and unveil all SSL certificates. You’ll have a grasp over your external surface area through a unified web interface, and monitor your security health, locating any vulnerabilities and exposed external assets.
Book a demo with our team and unlock the full power of our all-in-one passive intelligence tool!