Tue Apr 06 2021

How to check and maintain a view on the security and risk exposure of your digital footprint

Jimmy Pommerenke

As previously described, your digital footprint is a collection of assets in your own zone of control (i.e. developed and hosted within your company) or outside of your zone of control (i.e. developed and/or hosted outside your company). Managing the risks and exposure of either a controlled or an uncontrolled asset is completely different.

A tried and true formula for measuring the risk and exposure of your assets is to run vulnerability scans, security assessments, configuration reviews, and other manual (or semi-automated) activities that delve quite deep and provide you with an elaborate and technical view on your asset's risks. While these activities provide you with a wealth of information there are a couple of drawbacks to it;

  1. The outcome of these assessments is usually of a highly technical nature. This is great to determine exactly what and where needs to be rectified, but requires some interpretation to translate it to a more high level view risk metric.
  2. Assets under assessment are susceptible to availability issues. While vulnerability scanners nowadays have a very low risk of impacting the availability of your assets it's still not perfect. The story is even more true with ethical hacks or penetration tests, where it is highly recommended to execute them on a testing environment instead of the production environment (but then, is the testing environment an exact copy of the production environment?).
  3. While executing an automated vulnerability scan can be done relatively cheap, a manual security assessment or penetration test can be quite costly depending on scope and depth requested. These manual assessments are also very time limited and offer a "point in time" view. Both the automated vulnerability scans and penetration tests are scope bound, they will only assess the scope you provide them with.
  4. About the scope then, will you run your automated vulnerability scan on your complete digital footprint? If yes, then you need to know exactly the scope of your footprint. What is the complete list of URLs, IP addresses, web applications, etc.... Seeing the cost of it, the scope of a security assessment or penetration test will be very limited.
  5. Finally, executing these type of tests is usually only considered with controlled assets. Performing these on uncontrolled assets needs to be properly defined in contracts or other agreements with the party owning these assets.

Counteracting the drawbacks enumerated above isn't as easy as it sounds. Ideally you set up a cost-efficient, highly automated, low impact assessment system that is capable of generating an objective metric that represents your risk exposure. but at the same time allows you to delve into the technical details. Think of it this way, with a low cost and highly automated system running every week or so, you get the full overview of your scope and an initial risk metric to help you determine where to spend your costly penetration test resources.

Furthermore, the assessment you set up should be able to provide you with this metric for both controlled, as well as uncontrolled assets (i.e. those linked to your company, yet owned by a supplier or third party). You now have the right tool to open that discussion with not only your internal IT (Security & Risk) department but also with your third parties about those potential external risks. It's not uncommon that these discussions then lead to the execution of manual security assessments or penetration tests on your uncontrolled assets. Or might lead to onboard your suppliers into a more controlled vendor due diligence process opening a two way communication channel where you can regularly send underperforming vendors self assessment questionnaires. A topic I'd like to delve deeper in next week.