Contact us
Request demo →
Contact us

3 Constantly Evolving Areas of Risk Your Organisation Could Be Overlooking

by Vincent Thiele Blog 10 Jun 2021

As we mentioned in our previous blog, your attack surface is a constantly evolving source of risks. This is compounded by the fact that most organisations can only see a portion of their attack surface – we believe they’re missing 30 to 50 percent.

This is in part due to the imposing of a scope on the discovery process – such as setting a defined IT infrastructure or a set of IP addresses. Also, most discovery processes aren’t going far enough. Today’s attack surfaces stretch way beyond the organisation’s own control and include your service providers as well. So, if you use SaaS platforms and solutions, or the cloud, or run your buckets in Amazon – all these things need to be accounted for.  

In this blog post, we’re going to look at three areas that can easily fall outside the scope of your discovery, and should be a source of concern for CISOs and security teams.

1.   Moving to the cloud

Cloud adoption is probably the most obvious area of concern, and it’s also one of the biggest challenges from a cybersecurity perspective. Turn the clock back 5-10 years and considering moving resources to the cloud would have been unthinkable in most sectors.

Today, everything is going to public cloud infrastructures like AWS and Azure, and that’s not just supporting services like Human Resources and Communication, but also operational systems. This shift was happening anyway as part of an overarching programme of digital transformation, but it has been accelerated by the Covid pandemic.

It is true that security in the cloud has improved markedly and that bringing things to the cloud can actually benefit your security posture, as you can outsource security management of your own in-house systems. Still, it does make it much harder to get a comprehensive overview of your IT landscape. It's easier to know exactly where your data is being processed if you have everything in-house. In the cloud, that could be taking place anywhere.

Cloud storage is also a major concern. For example, you don’t need to look far to see reports of data leaks due to poorly configured Amazon S3 buckets. Even though such a data leak is out of your direct control, your organisation can still be held accountable, resulting in financial or reputational damage.

Tackling the Exponential Growth of the Attack Surface - smallBanner

2.   Seeing the whole supply chain

With the increasing move to online and SaaS services, organisations have seen their external dependencies grow exponentially. From certificate providers to SaaS providers, from DDoS protection to CloudFlare, from Microsoft to Google, the list of connected third parties seems endless.

But it doesn’t stop there. Fourth-party uncontracted risk is a real and growing concern for financial services organisations. In other words: the risk posed to your organisation, by your suppliers’ suppliers.

Indeed, regulations are increasingly mandating organisations to actively monitor their entire supply chain - espcially for financials. New regulations from the Bank of England and ongoing regulations from the European Commission, such as the Digital Operational Resilience of the financial sector (DORA), extend the focus of risk management to cover the external assets of all parties the organisation has relationships with, as well as any services and infrastructure that can impact the organisation’s day-to-day resilience. Experience has taught us that regulations originating in the financial industry are likely to find their way into other verticals as well, giving them a little longer to prepare for similar mandates. 

3.   Handling DevOps
The rise of (and reliance on) apps means mitigating risk from the DevOps teams is an important part of day-to-day risk management. The environments built for development bring unique challenges from a threat perspective. Teams of developers who are used to working with open source tools and code repositories through platforms such as GitHub, GitLab, or Azure DevOps can be a source of potential vulnerability.

Mistakes can easily happen in these environments – code can get transferred to the wrong place as part of a configuration file that pushes in the wrong direction, or data sets can inadvertently be exposed to the public.

To get a grip on this problem, we researched Swagger APIs (the most commonly used platform) throughout 28 EU countries. Out of the 13,041 discovered APIs, over half of them showed (critical) risks such as hardcoded keys, broken authentication, or a complete lack of security measures.

A necessary evil?

These three areas are part of any (large) organisation’s IT infrastructures. Yet, they are still easily overlooked when the attack surface is being mapped and the associated risks are assessed.

Luckily, the security of these areas don’t have to keep you awake at night, even though you must include them in your processes if you want to get a full view of your attack surface.

To find how you can see your whole attack surface and start to regain control of your security posture, download our free white paper Tackling the Exponential Growth of the Attack Surface – Why you need to know what you have, where it is, and what it’s doing.

Download whitepaper (PDF) →

Disinformation: a certainty in uncertain times

Since the beginning of the internet, we have seen a near, if not an exponential, surge of information sharing amongst users in cyberspace. Not long after, we saw how the emergence of social media ushered an access to public online platforms where other internet users worldwide could share, discuss, promote, and consume information, whether by deliberate choice or not.

read more

Threat Report: Remote vulnerability in Confluence, fixes available

On 2 June, 2022 a critical vulnerability was identified in Atlassian Confluence (CVE-2022-26134). The vulnerability in question relates to active exploitation of unauthenticated remote code execution in Confluence Data Center and Server; meaning that the vulnerability could lead to code being executed remotely.  

read more

Looking back on the 2021 vulnerability: Log4shell

In December 2021 a critical vulnerability surfaced named Log4shell within Log4j, a widely used logging tool for java applications. Log4j is used globally by computers running online services, which meant it impacted a multitude of people, organisations, and government organisations. Since then, multiple fixes have been implemented in the hope to avoid such an outbreak in the future.

read more

Do you have a question?

Our experts have the answers

Contact us