15 min reading Thu May 05 2022
Why your digital footprint matters
This article is about the digital footprint of your organization. It's about its website(s), social media sites, its online activities, its online databases, and from a risk viewpoint, it's about its online reputation.
Technically speaking, it is about understanding the exposure of controlled and uncontrolled IT and digital assets to the digital world and managing the associated cyber risks.
Chapter 1: Your digital footprint and why it matters
While a lot of companies are well protected from internal attacks, due to multiple levels of firewalls, anti-malware and EDR(end-point detection) solutions, many haven't given much thought to their external perimeter.
Digital footprint examples include
- sensitive data or private data stored on databases outside of your perimeter, especially payment details or medical records
- devices logging information about your business
- unsecured sites to which your employees might access
- social media platforms used to post online where social media credentials are managed by your marketing department and not securely as part of identity and access management
- online form(s)
- unmanaged assets such as IoT devices such as fitness trackers
- any other websites or online accounts in the IT digital shadow of your organization
- dormant accounts or old accounts of former employees
- untraced connections joining public wi fi networks from inside your organization
- anonymous internet users accessing information stored inside your organization or exploiting vulnerabilities
How digital footprints work
Usually, we need a perimeter firewall to protect our exposed services, plus, preferably, a web application firewall in front of our web applications. We might even have vulnerability scanning enabled on our external IP range. In this context, the question is if you have a view of the full extent of what your company exposes to the Internet.
As companies grow, their exposure to the Internet becomes increasingly important. New websites, increased online activity, a new application, or a customer-facing web front end are launched. Or a cloud-based application could be onboarded and hosted on a different continent. Marketing departments come up with commercial ideas to attract more traffic by starting online competitions or sponsorship deals. Before you know it, you no longer have a view of what is exposed to the Internet, let alone an idea of the risks of your digital footprint.
Over time, business growth increases your digital footprint. So this will consist of digital assets that you know of and digital assets that you don't know of.
Assets you know of could be your external IP Range, main websites, important web applications, email infrastructure which most often are well-managed.
IT assets you don't know of could be source code repositories, cloud-based file shares, older websites, or any other asset that for some reason has never been properly decommissioned.
Adding to the above, are assets out of your control such as cloud based infrastructure or applications provided by third parties, subsidiaries to your company. These are assets that impact your digital footprint and might pose a risk when compromised, yet are outside of your zone of control. The list above gives some examples of how the digital footprint grows.
Furthermore, there are rogue assets such as websites launched by your Marketing or HR departments without following the due diligence processes of procurement and IT (Security). While these have been launched for the growth of the company, by not following the correct due diligence processes, your IT (Security) department might not be aware of them and the potential risks they pose to confidential information.
What is the impact of your digital footprint
As you can probably tell, your company's current digital footprint will only grow over time, exposing its brand and increasing the amount of information shared. Add to that an increase in the number of third parties which extends the digital footprint, which grows your business but also increase your threat exposure to cyber risks.
All of this might make you wonder how to have a grasp on the digital footprint and manage cyber risk to an acceptable level. In the next chapter we offer a step-by-step approach to not feeling overwhelmed with this important work.
Chapter 2: How to get a view on your digital footprint?
Well, the answer is the good old "it depends". There are different approaches to how to generate a view of your digital footprint.
This chapter includes a proposed approach, and some resources to get you started. Each step will provide new information on your digital footprint and can be used to go to the next step, or iterate back to previous steps to further expand the data. The reason why "it depends" is that over time it would be best to create your own approach and methodology for mapping your company's digital footprint.
Generally, we distinguish between active digital footprint and passive digital footprint. Put simply, the active footprint is left intentionally by users and passive footprint is left unintentionally.
Active digital footprint examples are social media credentials connecting to Facebook, Twitter, social groups or blog posts. Or logging into a news app, a dating site, images and video uploads that we share online are the most common ways in which we create an active digital footprint for ourselves.
The passive digital footprint is digital tracing data connected to a user which is left by other users or collected via activities that the user does without intent. Examples of passive footprint include social media activity where others tag a user(including questionable images), search engine results, website visits and unsafe website visits, or online activities such as shopping apps and financial data tracing.
Step 1: List your domains
In some cases, your domains might be managed completely outside your zone of control.
In this case, you'll have to request the A or AAAA records from the third party/parties managing your domains. If you do, do request to have an overview of all associated IP addresses and other DNS records as well. Such as CNAME and PTR (other domains and subdomains), MX (mail servers), NS (nameserver records, which may provide links to other DNS containing your information). Keep in mind that you might have to iterate over different nameservers to get a complete picture of your domains.
If for some reason you do not have access to your DNS there are some simple tools that might help you like dig, host, DNSEnum, dnsmap, and AMASS. And when you really want to find all domains you can scrape the TLDs (Top Level Domains) and their databases to find all existing domains containing your company's name for example.
So listing your domains requires a bit of investigation and persistence in order to get a comprehensive view.
Step 2: List your subdomains
The next step is enumerating your subdomains. This is quite easy if you received a full output of your DNS. If not, but still have a list of all your domains available, your subdomains can be enumerated with some readily available tools like AMASS, subfinder, cert.sh, massdns, altdns. More details on these techniques can be found here. The list of subdomains will help you understand the extent of your digital footprint. It also provides a view of all your websites and applications (given that there is one active on the subdomain).
Step 3: List your IP addresses
Not everything on the Internet is linked to a (sub)domain or contains a web application. Some findings will be linked to IP addresses. Think about your email servers, VPN, access for third parties.
When you have extracted the information from your DNS you will also have gathered a lot of IP addresses. Go ahead and search for them in WHOIS databases and where in the world your IP addresses are issued: RIPE, APNIC, ARIN, LACNIC, or AFRINIC.
This will allow you to determine to which IP Range and owner the IP addresses belong to.
Furthermore, this will provide you with insight into whether it belongs to your organisation, a hosting provider, or others.
Lastly, your IP address will be part of a range of IP addresses. It's worth the effort to extend your digital footprint mapping to these IP addresses to determine if they contain resources belonging to your organisation or if IP range is hosted with third parties.
Step 4: Expand to your third parties
At this point, you should have a good view of which domains, subdomains, and IP addresses are hosted by your organisation and which are hosted by third parties. You want to have a mapping of these items to the relevant third parties.
Next, assign contact persons to those external companies. In case you discover something that needs to be changed or updated you immediately know who to contact. If you don't have this information it's possible that someone in your Procurement, HR, or Sales and marketing can help. Chances are they set up a website without informing the IT department.
Step 5: Enumerate your assets, list your services, and get a rough idea of the risks
Once you have the overview above, you need to go into details. Using a port scanner such as NMAP will also enumerate all services running on these IP addresses. It will allow you to quickly find web applications but also whether it is running an email server, DNS, FTP, or maybe even some unauthorized services (RDP, VNC, Telnet). Be cautious to only port scan IP addresses belonging to your organisation.
Next, the Eyewitness tool can help determine which subdomains contain an active website, and even create a screenshot for a quick look without having to manually type these in your browser. This provides direct and invaluable information on what is actually hosted on that (sub)domain.
Free versions of Qualys or Tenable Nessus, or the open source tool Greenbone Vulnerability Management (previously OpenVAS) can start generating a list of known vulnerabilities on all the IP addresses, domains, and subdomains you previously researched. Using this list you can quickly start remediating outdated systems and systems with critical vulnerabilities out in the open. Keep in mind that these are exposed assets which in case of a cyber incident can impact your business.
Finally, using the free Qualys SSLabs you can generate a risk-based view on all your SSL certificates. Do they contain weak ciphers? Do they use deprecated cryptographic protocols? Will they expire soon? This information can help get a view of your cyber risk exposure.
Step 6: Iterate
For each step described above you'll likely encounter new IP addresses, domains, or subdomains. Each time it is recommended to iterate over the previous steps as you might find even more information which can help you get an understanding of your cyber risk exposure.
For example, the output of your certificates might yield more subdomains, or the IP range of a certain asset contains company-branded websites you didn't even find a DNS entry for.
Website spoofing is a threat to businesses. How it works is that cyber criminals create a copy of your website as a hoax or potentially use information and media from the real site mimicking your website to appear real and send out phishing emails in an attempt to gather information.
By now you might think that it's probably easier said than done. It can take quite some effort and a collection of tools to generate an overview of your digital footprint. However, it can be truly worthwhile as it can uncover issues you didn't know about. Websites you thought no longer existed, domains assigned to IP addresses owned by other parties, or even a list of vulnerabilities exposing you to some potential intruders you'd rather keep out.
On this note, in the next chapter we will address the potential impact of the supply chain of vendors and third parties on the digital footprint of a company. It is important to take a close look at the different types of impact in order to understand how to start mitigating risks, and limit risk exposure.
Chapter 3: The impact of your supply chain on your digital footprint
The assets that make up your digital footprint like the server on which your website runs, or your email infrastructure, might not be hosted on your premises but somewhere in the cloud. Often this means that the management of that system is out of your zone of control.
So if you find a vulnerability in this system an internal process triggers the communication and remediation process with the cloud supplier. The same goes for the web application running on top of that system. Chances are it's not developed internally but by an external party, and probably by a different supplier than the cloud company. You'll need to start another communication process with that third party as well.
A likely scenario can be the following: a scan of our company's digital footprint which found a number of exposed assets, one of which is a web application that is developed by an external supplier, hosted on a system managed by yet a different external supplier. In a digital supply chain while our digital footprint is assigned to our company, in practice it actually consists of bits and pieces spread over different suppliers and even geographic locations.
So having a full view of the exposure of our digital footprint means taking into account not only the exposure of our own systems and applications, but also of those of our suppliers, located outside of our direct zone of control.
The next question is how far does this exposure go? Is our web application located in a single or multi-tenant environment? If the acquisition of the system and contract negotiation went through the normal approved processes chances are you already have this information.
However, it's also possible that another department ordered another web application which is hosted outside of normal processes. Also, was the supplier chosen from a list of pre-approved suppliers? Or did they (randomly) pick their own supplier? If this is the case, how can we make sure that this supplier practices sound security principles? We are interested if they perform secure coding, regular security tests on their code and systems, manage our company's data securely, or if they have a business continuity plan in case there's an impact on the availability of our assets.
The good news is that measuring the exposure and the risks of assets in our zone of control is simple. We can run active vulnerability scans, execute penetration tests, check the configuration and remediate. However, it is a different story with external suppliers. The due diligence involved should provide you with enough assurance that your company is in good hands.
Questions such as who can perform a vulnerability scan or a penetration test are not easy to answer sometimes. The reason why in the next chapter we will take the bull by the horns and share an approach to how to have better control over the relationship with external suppliers. As at the end of the day, it is key that we manage risk to an acceptable level for our company, and have security assurance.
Chapter 4: A view on the security and risk exposure of your digital footprint
As a reminder your digital footprint is a collection of assets in your own zone of control (i.e. developed and hosted within your company) or outside of your zone of control (i.e. developed and/or hosted outside your company). Managing the risks, such as a data breach, and the exposure of either a controlled or an uncontrolled asset is completely different.
A tried and true formula to protect your digital footprint is to have good data hygiene, run vulnerability scans, security assessments, and periodically review configuration. Other manual (or semi-automated) activities can provide an elaborate and technical view of your asset's risks.
While these activities provide you with a wealth of information there are a couple of drawbacks to it.
● The outcome of these assessments is usually of a highly technical nature. While this is great to determine exactly what and where needs to be rectified, it requires some interpretation to translate it to a more high-level view risk metric.
● At the same time assets under assessment are susceptible to availability issues. While vulnerability scanners nowadays have a very low risk of impacting the availability of your assets they are still not perfect. The story is even more true with ethical hacks or penetration tests, where it is highly recommended to execute them in a testing environment instead of the production environment (but then, is the testing environment an exact copy of the production environment?).
● While executing an automated vulnerability scan can be done relatively cheaply, a manual security assessment or penetration test can be quite costly depending on the scope and depth requested. These manual assessments are also very time limited and offer a "point in time" view. Both the automated vulnerability scans and penetration tests are scope bound, they will only assess the scope you provide them with.
The scope is key here. If you run an automated vulnerability scan on your complete digital footprint you need to know exactly the scope of your footprint. What is the complete list of URLs, IP addresses, web applications, and so on. Seeing the cost of it, the scope of a security assessment or penetration test will be very limited.
● Finally, executing these types of tests is usually done only on controlled assets. Performing these on uncontrolled assets needs to be properly defined in contracts or other agreements with the party owning these assets.
Counteracting the drawbacks enumerated above can be difficult. An ideal solution would be setting up a cost-efficient, highly automated, low-impact assessment system that is capable of generating an objective metric that represents your risk exposure. At the same time, this allows you to delve into the technical details. Put simply, with a low-cost and highly automated system running every week you get the full overview of your scope and an initial risk metric to help you determine where to spend your costly penetration test resources.
In this case, the assessment you set up should be able to provide you with this metric for both controlled, as well as uncontrolled assets (i.e. those linked to your company, yet owned by a supplier or third party).
To conclude, the approach above together with the right tool can help start the risk exposure discussion with not only your internal IT (Security & Risk) department but also with your third parties. It's common that these discussions lead to the execution of manual security assessments or penetration tests on your uncontrolled assets.
The four chapters introduce the digital footprint and why it matters. Next, the goal is How to get a view of your digital footprint, followed by The impact of your supply chain on your digital footprint. Lastly, in A view on the security and risk exposure of your digital footprint the goal is to share a strategy on how to bring it all together.
This is the story of the digital footprint. Hopefully, it provided you with a better understanding of how to view the exposure of controlled and/or uncontrolled assets and how to start managing the associated cyber risks.
If this story speaks to you, don't hesitate to get in touch with us [email protected]