“If I Can’t See It It Doesn’t Exist” – The Blind Spots In Your IT Security Risk Assessment

Koby Meir

“If I Can’t See It It Doesn’t Exist” – The Blind Spots In Your IT Security Risk Assessment

Koby Meir

Share:

Share on linkedin
Share on facebook
Share on twitter

Cyber security risk assessment is a fundamental building block in any cyber security program. It enables you to identify all the potential risks and security issues that your organization might face and ensure the right policies and tools are put in place to improve your overall security posture.

A risk assessment process typically includes the following activities:

  1. Identifying all the threat and vulnerabilities that are relevant to your organization
  2. Assessing the likelihood that these risks will materialize
  3. Determining the adverse impact these risks may have on your organization
  4. Analyzing their likelihood and potential impact to determining the severity of these risks
  5. Deciding whether these risks need to be mitigated or not

There are serious gaps in the way risk assessments are carried out today. These gaps leave organizations with many blind spots and a variety of unknown exposures and risks. Existing practices and solutions used for assessing and identifying your security risks tend to fall short in two main respects: firstly, the information used in the assessments, and secondly the frequency with which data used for these assessments is collected. Let’s examine each one of these shortfalls in more detail.

#1: Information Used for Assessing Risks is Limited 

Best practices for the risk assessment process emphasize the need to thoroughly map all your assets, identify and document potential vulnerabilities as well as internal and external threats. The visibility you get is only as good as the sources of information that you are using. 

Common sources of information used as inputs in the assessment process come from IT asset management platforms, incident reports, security logs together with information collected through vulnerability assessments, pen-testing initiatives, and security rating service. All these traditional risk assessment solutions are built to discover, assess and exploit vulnerabilities in your known assets.  But what about the assets of which you are unaware? 

The shift to the cloud and democratization of IT is leading to increasing in unknown risks and exposures in organizations’ network perimeter. Here are a few examples of such unknown assets:

  • New cloud environments opened by your subsidiary
  • Undocumented staging environments insecurely deployed by your dev team
  • Unmanaged legacy systems that belong to a company you acquired
  • A QA website that your supplier created and is fully accessible to any user online
Asset Exposure and Risk Heatmap Reposify

None of the commonly used sources of information in your risk assessment will detect or monitor such assets. Even risk rating services, which provide some level of external visibility, will not cover all of your internet-facing assets. The data and methods used by security ratings service providers for calculating your risk score are opaque and the accuracy of asset and risks attribution is unclear.

#2: Data Collection Frequency

Security risk assessments are typically done on an annual basis or around periods during which major changes in software or hardware infrastructure are made. A lot of the information used for these annual risk assessments comes from the above-mentioned targeted IT security audits that take place more frequently but not continuously. 

The reality is that most security teams today rely on a snapshot that represents their risks at a specific point in time. When you consider the frequent changes in your internet-facing asset, such reliance on a specific moment in time is flat-out dangerous. 

Your network perimeter is in constant flux. On average, somewhere between 5%- 20% of your IP addresses are fixed, the rest are ephemeral (this will vary based on the organization type and size). Here are two examples of the changes detected by Reposify’s Attack Surface Management platform for IP addresses over time. In both of these examples, you can see the frequent changes in IP ownership, security issues, and associated risk severity.

Risk Assessment Reposify 2
Risk Assessment Reposify 1

These examples demonstrate how important it is to continuously monitor your external attack surface and have an up-to-date overview of the risks to which you are exposed. Without it, unwanted exposures and unknown risks remain in the dark for very long time periods and could have severe business implications.

IBM and Ponemon Institute’s 2019 Cost of a Data Breach Report shows that the mean time to identify a data breach was 206 days and the mean time to contain it was 73 days. 

If organizations had a way to stay on top of every exposure in their network perimeter, costly breaches could be significantly reduced. To truly identify and assess your organization’s cyber security risks, you need a solid ground truth which is complete, accurate and always up to date.

Here are 6 ways in which Reposify’s External Attack Surface Solution can help you transform the way you discover and monitor your cyber security risks.

#1: Cover all your network environments

Visibility of all your assets is crucial.  Get complete visibility of all your exposures across on premise, all cloud environments as well as your supply chain.

#2: Never miss an important asset:

Gain a complete view of all your known and unknown risks. Go beyond publicly registered IPs and domain data which relies mainly on DNS and WHOIS.

 #3: Interpret the risk with the right business context

Cyber risk isn’t detached from business risk. See your security issues prioritized for your business and easily adjust the weights on the score based on your organizational priorities. 

#4: Data Freshness:

We don’t just claim our data is fresh. We index the entire Internet continuously and show you exactly what information was updated and when. With continuous monitoring you’ll be able to see every change in the network in near real time so you can stay on top of exposures and ahead of attackers.

#5: Data Transparency:

Understand the data behind your organization’s risk score, see how it was calculated and what assets it includes. The discovery path and attribution process for each asset is completely transparent.

#6:  Leverage Actionable Insights 

Not just a score. Save precious time by getting a complete asset inventory, prioritized risks and detailed remediation steps to quickly resolve the security issues identified and eliminate the risks.

Get your personalized demo to discover all your exposed assets and your security posture.

New call-to-action

Koby Meir

Koby Meir is an expert software engineer with close to two decades of experience. Koby has a diverse and well-rounded background ranging from assembly to complex web applications written in Python. Prior to founding Reposify, Koby led various software development and devops teams at both mid-size and international corporations including Conduit, Ajilion and Elbit Systems. Koby is an alumnus of the IDF’s elite C4I Corps where he served for over four years as an embedded system developer and team leader.

Share:

Share on linkedin
Share on facebook
Share on twitter

Ready to discover your External Attack Surface?

Read Next

Why Only EASM can provide the protection necessary to guard against RCE threat

In April, VMware issued a series of patches to guard against vulnerabilities in a number of products. Among the most critical is CVE-2022-22954, a remote code execution RCE threat that puts organizations at risk of cyber attack. Only EASM can provide thorough cybersecurity protection against remote code execution hacks, with real-time asset monitoring and identification and clear, actionable insights for immediate intervention.

Detect to protect: Reposify’s EASM flags exposed assets vulnerable to Microsoft SMB (CVE-2022-26809)

Microsoft covered more than 100 vulnerabilities in April's security update, among them patches to critical remote code execution (RCE) vulnerabilities located in Microsoft’s SMB. In response Reposify's EASM platform scanned and identified 800,000+ nodes with open SMB protocol on both patched and unpatched systems. Read our latest blog and learn how Reposify's EASM can detect unknown exposed assets vulnerable to Microsoft’s SMB.

Security teams: here’s why you should choose EASM over Shodan?

If you are using Shodan to search for your company’s assets or perform reconnaissance as part of blue or red teams routines - you need to keep reading.