<img src="https://certify.alexametrics.com/atrk.gif?account=kla4t1zDGU20kU" style="display:none" height="1" width="1" alt="">
Contact us
Request demo →
Contact us
German website
search
close

3 Constantly Evolving Areas of Risk Your Organisation Could Be Overlooking

by Vincent Thiele Blog 10 Jun 2021

As we mentioned in our previous blog, your attack surface is a constantly evolving source of risks. This is compounded by the fact that most organisations can only see a portion of their attack surface – we believe they’re missing 30 to 50 percent.

This is in part due to the imposing of a scope on the discovery process – such as setting a defined IT infrastructure or a set of IP addresses. Also, most discovery processes aren’t going far enough. Today’s attack surfaces stretch way beyond the organisation’s own control and include your service providers as well. So, if you use SaaS platforms and solutions, or the cloud, or run your buckets in Amazon – all these things need to be accounted for.  

In this blog post, we’re going to look at three areas that can easily fall outside the scope of your discovery, and should be a source of concern for CISOs and security teams.

1.   Moving to the cloud

Cloud adoption is probably the most obvious area of concern, and it’s also one of the biggest challenges from a cybersecurity perspective. Turn the clock back 5-10 years and considering moving resources to the cloud would have been unthinkable in most sectors.

Today, everything is going to public cloud infrastructures like AWS and Azure, and that’s not just supporting services like Human Resources and Communication, but also operational systems. This shift was happening anyway as part of an overarching programme of digital transformation, but it has been accelerated by the Covid pandemic.

It is true that security in the cloud has improved markedly and that bringing things to the cloud can actually benefit your security posture, as you can outsource security management of your own in-house systems. Still, it does make it much harder to get a comprehensive overview of your IT landscape. It's easier to know exactly where your data is being processed if you have everything in-house. In the cloud, that could be taking place anywhere.

Cloud storage is also a major concern. For example, you don’t need to look far to see reports of data leaks due to poorly configured Amazon S3 buckets. Even though such a data leak is out of your direct control, your organisation can still be held accountable, resulting in financial or reputational damage.

Tackling the Exponential Growth of the Attack Surface - smallBanner

2.   Seeing the whole supply chain

With the increasing move to online and SaaS services, organisations have seen their external dependencies grow exponentially. From certificate providers to SaaS providers, from DDoS protection to CloudFlare, from Microsoft to Google, the list of connected third parties seems endless.

But it doesn’t stop there. Fourth-party uncontracted risk is a real and growing concern for financial services organisations. In other words: the risk posed to your organisation, by your suppliers’ suppliers.

Indeed, regulations are increasingly mandating organisations to actively monitor their entire supply chain - espcially for financials. New regulations from the Bank of England and ongoing regulations from the European Commission, such as the Digital Operational Resilience of the financial sector (DORA), extend the focus of risk management to cover the external assets of all parties the organisation has relationships with, as well as any services and infrastructure that can impact the organisation’s day-to-day resilience. Experience has taught us that regulations originating in the financial industry are likely to find their way into other verticals as well, giving them a little longer to prepare for similar mandates. 


3.   Handling DevOps
The rise of (and reliance on) apps means mitigating risk from the DevOps teams is an important part of day-to-day risk management. The environments built for development bring unique challenges from a threat perspective. Teams of developers who are used to working with open source tools and code repositories through platforms such as GitHub, GitLab, or Azure DevOps can be a source of potential vulnerability.

Mistakes can easily happen in these environments – code can get transferred to the wrong place as part of a configuration file that pushes in the wrong direction, or data sets can inadvertently be exposed to the public.

To get a grip on this problem, we researched Swagger APIs (the most commonly used platform) throughout 28 EU countries. Out of the 13,041 discovered APIs, over half of them showed (critical) risks such as hardcoded keys, broken authentication, or a complete lack of security measures.


A necessary evil?

These three areas are part of any (large) organisation’s IT infrastructures. Yet, they are still easily overlooked when the attack surface is being mapped and the associated risks are assessed.

Luckily, the security of these areas don’t have to keep you awake at night, even though you must include them in your processes if you want to get a full view of your attack surface.

To find how you can see your whole attack surface and start to regain control of your security posture, download our free white paper Tackling the Exponential Growth of the Attack Surface – Why you need to know what you have, where it is, and what it’s doing.

Download whitepaper (PDF) →

Securing critical infrastructure: new regulations mandate control

The name itself says it already: organisations in the critical infrastructure are vital in the services they provide in society. Should something go wrong in their daily operations, it can have severe consequences and disrupt individual people and other companies. That doesn’t necessarily mean they are more often targeted in (cyber-)attacks, but it does pose an extra reason to prevent any successful attack. Such organisations have often been in charge of their own cybersecurity, guided by regulations. Now though, authorities in the EU are starting to intensify their watchful eyes with the RCE directive. What is the EU RCE? And how should critical infrastructure organisations prepare?

read more

Mandatory IT audits: risk scores don’t mean security

More organisations in the Netherlands recognise the need for an active approach to stay in control over their attack surfaces in order to mitigate risks. Every organisation is able to create their own IT security governance and processes. Now, though, a new standard might be introduced in the form of an annual, mandatory IT audit. Is this a development helping businesses further? Or one that doesn’t really add anything other than paperwork?

read more

Determining your cybersecurity maturity

How safe your organisation is from a cybersecurity point of view depends on a lot of factors. Not only should your private and confidential data be kept private and confidential through a plethora of technical defenses, there are also, among others, many processes such as for IT governance and incident response to consider. How your organisation deals with all these challenges determines its cybersecurity maturity. But why is determining this maturity level important?

read more

Do you have a question?

Our experts have the answers

Contact us