This post was originally published here by UpGuard.
Introduction
The Internet Footprint
There is much more to a company’s internet presence than just a website. Even a single website has multiple facets that operate under the surface to provide the functionality users have become accustomed to. The internet footprint for every company comprises all of their websites, registered domains, servers, IP addresses, APIs, DNS records, certificates, vendors, and other third parties– anything that is accessible from the internet. The larger the footprint, the more digital surfaces it contains, the more complex are its inner workings, and the more resources it requires to maintain. Because although having an internet presence is basically a given these days, the risk incurred by that presence is not always acknowledged.
Assessing Risk
Today, organizations often rely on third party vendors to handle part or all of their data handling, processing, and analytics. Technological infrastructure has also been outsourced into the cloud and into the hands of specialists who can perform the necessary work efficiently. To form partnerships with these vendors, assessments are performed to gauge the vendor’s cyber risk. These include questionnaires about vendor practices and technology, as well as independent external profiling of the internet footprint. For these independent assessments to be effective, they must capture the complex ecosystem required for a modern web presence.
Read now: The Buyer’s Guide to Third-Party Risk Management
More Than a Website
The user experience of a website is designed to be as transparent and simple as possible, so that people can focus on their business instead of actively working to navigate the site or figure out how it works. But from a risk perspective, the entire infrastructure supporting that website must be included in an assessment to cover the possibilities of breach, exposure, and outage.
When loading a single page, all of the following can occur behind the scenes:
- Someone types an address like www.upguard.com into their browser.
- This request is sent to a DNS server, which must translate the human friendly name into the corresponding IP address.
- The IP is returned to the client, and their system tries to make a connection to the IP over the standard web port, 80.
- If the server is properly configured, the request will be redirected to the secure web port, 443, and establish an encrypted HTTPS connection.
- The HTTPS connection is encrypted with a certificate, often issued by a third party. This certificate must be validated with the authority who issued it for the user’s browser to allow it.
- Once the page begins to load, various elements are brought in, including ads from third parties, elements hosted on other web servers, database driven content that pulls from a server internal to the company, and so on. Even though a single address is used, web content from multiple servers appears.
In this chain, we’ve relied on a DNS server, a web server, a certificate authority, a database, and third party web services. This is just for loading a single, simple webpage. Most companies have several websites, even several domains, hosting not only websites, but other internet-accessible services as well. Even when these are not being used in production, they create risk for a company by simply existing.
Remainders and Stubs
All of these pieces can function together to form a seamless user experience– but they don’t have to. Often, especially for larger organizations, some of these pieces become detached from any function: domains are registered without websites, servers can be internet-exposed but not providing web services, and each website can provide multiple APIs and points of entry, some of which may not be used at all for legitimate traffic. Even though they aren’t providing anything of value, their existence as part of the internet footprint means that they still create risk.
A registered domain that is allowed to lapse, for example, can be taken up by malicious actors and directed to a fraudulent page. The company being spoofed may not even remember it had that domain, but customers and prospects will be easily fooled by the official seeming address. Likewise, a server that has been improperly decommissioned or migrated may retain a firewall translation that makes it accessible to the internet. Because the server is not in use, it may fall behind in its monitoring, patching, and updates, making it a dangerous liability.
Fourth Party Risk
The complexity is made even greater when an organization’s vendors are included in the picture. A third party vendor likely employs several vendors of their own in their business processes. Each of these fourth parties have their own internet footprint, and their own degree of risk added to the mix. For example, a vendor may use cloud hosting for data storage, like Amazon S3, or Microsoft Azure. Although these platforms are not necessarily risky in themselves, the way a vendor uses their services might open the door to unintentional data exposure to the entire internet.
How Risk is Introduced
Exploiting the Internet Footprint
Looking at the website alone isn’t enough. Other internet services, like email, create risk for data exposure and fraud. The protections a company has against phishing attacks and other malicious email comprises an important part of the internet footprint. Mechanisms like SPF, DKIM, and DMARC analyze, validate, and route email to minimize the number of phishing attacks that reach actual people. These mechanisms can be validated through internet accessible DNS records, and companies who utilize them have a much lower chance of being compromised through the email vector.
Misconfigurations
Unlike phishing scams, some risk doesn’t require an external actor. Misconfigurations account for the majority of data exposure— sloppy operations create insecure assets, and the lack of visibility into these misconfigurations prevents them from being remediated. A webpage might be configured properly and have good encryption, but if a database port is also open to the web server, an attacker could backdoor sensitive data without even having to touch the defenses of the main website. This port would be invisible to a normal web user, but stands out like a sore thumb to someone looking to gain entry.
How UpGuard Helps
About CyberRisk
UpGuard CyberRisk performs a comprehensive risk assessment including both an external scan of the entire internet footprint and an automated questionnaire engine. Simply search for your vendors or companies you want to monitor, add them to your dashboard, and navigate a contextualized assessment of their internet footprint. For vendors, use the integrated questionnaires to automate the process of sending and organizing third party self-assessments. UpGuard CyberRisk includes comprehensive questionnaires that change dynamically as questions are answered and provide in-line risk analysis and remediation advice tailored to the answers provided. Between the external assessment, the security rating, and the questionnaires, UpGuard manages the entire vendor risk process in one place.
What UpGuard Scans
UpGuard focuses on the real world threats that lead to breach, loss, and outage. Our independent external assessment gathers information from every facet of the internet footprint, assesses it for security best practices, and aggregates it into a security ratingbetween 0-950, like a credit score. This provides high level visibility and comparison, along with the ability to expand the details and understand the specific risks involved with each vendor.
Among the data UpGuard collects are:
- Every website and domain owned by the vendor
- Email best practices for each domain
- Open ports on every internet-facing server associated with the vendor
- DNS best practices for every vendor domain
- Encryption strength and configuration
- Certificate validity and expiry
- Advertised web technology
- Company health and CEO approval
UpGuard collects this and more for millions of sites every day, and it’s available at any time. Customers have real time insight into vendor risk, as well as historical data for context and trend analysis.
Assess and Improve
Beyond just assessing the digital footprint, UpGuard helps companies and their vendors remediate outstanding issues and minimize threat vectors. Detected risks are explained in terms of the way they enable breach, exposure, or outage, and technical instructions are provided to hasten remediation efforts and eliminate vulnerabilities. UpGuard CyberRisk tracks posture over time, so trends can be examined to measure and track improvement. Companies can even take proactive steps in their own environment to help protect against the risks incurred by their vendors. Building resilient business technology is beneficial to all organizations and their customers.
Conclusion
Digital business requires the storage and transfer of sensitive information, and carries the expectation of 24/7/365 availability around the world. When data is exposed and services are interrupted by third parties, their clients face the same consequences as if it had happened on their own servers– the financial costs of PR and customer services such as identity protection; the loss of customer trust and reputational damage; and potential legal action by individuals or companies damaged by the exposure or outage. This makes vendor risk assessment a crucial business function when data handling and technological infrastructure are outsourced to third parties.
Photo:CAPEMS
