As we mentioned in our previous blog, your attack surface is a constantly evolving source of risks. This is compounded by the fact that most financial services companies can only see a portion of their attack surface – we believe they’re missing 30 to 50 percent.
This is in part due to the imposing of a scope on the discovery process – such as setting a defined IT infrastructure or a set of IP addresses. Also, most discovery processes aren’t going far enough. Today’s attack surfaces stretch way beyond the organisation’s own control and include your service providers as well. So, if you use SaaS platforms and solutions, or the cloud, or run your buckets in Amazon – all these things need to be accounted for.
In this blog post, we’re going to look at three areas that can easily fall outside the scope of your discovery, and should be a source of concern for CISOs and security teams.
Cloud adoption is probably the most obvious area of concern, and it’s also one of the biggest challenges from a cybersecurity perspective. Turn the clock back 5-10 years and considering moving resources to the cloud would have been unthinkable in the financial services sector.
Today, everything is going to public cloud infrastructures like AWS and Azure, and that’s not just supporting services like Human Resources and Communication, but also operational systems. This shift was happening anyway as part of an overarching programme of digital transformation, but it has been accelerated by the Covid pandemic.
It is true that security in the cloud has improved markedly and that bringing things to the cloud can actually benefit your security posture, as you can outsource security management of your own in-house systems. Still, it does make it much harder to get a comprehensive overview of your IT landscape. It's easier to know exactly where your data is being processed if you have everything in-house. In the cloud, that could be taking place anywhere.
Cloud storage is also a major concern. For example, you don’t need to look far to see reports of data leaks due to poorly configured Amazon S3 buckets. Even though such a data leak is out of your direct control, your organisation can still be held accountable, resulting in financial or reputational damage.2. Seeing the whole supply chain
With the increasing move to online and SaaS services, organisations have seen their external dependencies grow exponentially. From certificate providers to SaaS providers, from DDoS protection to CloudFlare, from Microsoft to Google, the list of connected third parties seems endless.
But it doesn’t stop there. Fourth-party uncontracted risk is a real and growing concern for financial services organisations. In other words: the risk posed to your organisation, by your suppliers’ suppliers.
Indeed, regulations are increasingly mandating financial services organisations to actively monitor their entire supply chain. New regulations from the Bank of England and ongoing regulations from the European Commission, such as the Digital Operational Resilience of the financial sector (DORA), extend the focus of risk management to cover the external assets of all parties the organisation has relationships with, as well as any services and infrastructure that can impact the organisation’s day-to-day resilience.
3. Handling DevOps
The rise of (and reliance on) apps within the financial services sector means mitigating risk from the DevOps teams is an important part of day-to-day risk management. The environments built for development bring unique challenges from a threat perspective. Teams of developers who are used to working with open source tools and code repositories through platforms such as GitHub, GitLab, or Azure DevOps can be a source of potential vulnerability.
Mistakes can easily happen in these environments – code can get transferred to the wrong place as part of a configuration file that pushes in the wrong direction, or data sets can inadvertently be exposed to the public.
To get a grip on this problem, we researched Swagger APIs (the most commonly used platform) throughout 28 EU countries. Out of the 13,041 discovered APIs, over half of them showed (critical) risks such as hardcoded keys, broken authentication, or a complete lack of security measures.
A necessary evil?
These three areas are part of any (large) organisation’s IT infrastructures. Yet, they are still easily overlooked when the attack surface is being mapped and the associated risks are assessed.
Luckily, the security of these areas don’t have to keep you awake at night, even though you must include them in your processes if you want to get a full view of your attack surface.
To find how you can see your whole attack surface and start to regain control of your security posture, download our free white paper Tackling the Exponential Growth of the Attack Surface – Why you need to know what you have, where it is, and what it’s doing.