Risk management is fairly straight-forward as a strategic concept but is complicated by a myriad of organizationally specific requirements and complex solutions. Organizations work day in and day out to identify and address risks of all types: cybersecurity, personnel, competitive, financial, etc. CyberGRX focuses specifically on the cybersecurity risks posed to organizations by the third parties that they engage. We have found that across the globe, the most nascent and the most mature companies face significant challenges in Third-Party Cyber Risk Management (TPCRM). It is no wonder that a multitude of potential TPCRM solutions have been developed, given the rapidly increasing utilization of third parties and the general understanding that these third parties can introduce significant risk. These solutions include everything from traditional audits to fully automated outside-in scans. This latter option is the focus of today’s blog.
There is no doubt that a nearly instant, automated, outside-in scan provides some level of value to risk managers. However, it is concerning to hear that some organizations’ TPCRM programs are built on nothing more than these scans and their resulting “risk ratings”. Here are three reasons why we believe that these risk ratings alone do not provide the data and insights required for a truly effective TPCRM program.
An outside-in scan reveals only the very tip of a much larger iceberg.
You may have heard outside-in scanning compared to analyzing the fire safety of a building by looking at it from across the street. While an outside-in scan can identify vulnerabilities in an organization’s externally facing services, this solution will only provide you with surface information around the overall security of a company. An outside scan can check for things like open ports, patch status on external IP addresses, detect known vulnerabilities, and identify the use of any deprecated services, but what it cannot do is ensure that a company has an enterprise data protection program in place, that they are utilizing strong authentication, or that they force input validation, for example. It is also important to remember that scans of this nature are only looking for known vulnerabilities. Unfortunately, there are vulnerabilities that are unknown to the public at large, and these signature and rule-based scanners will not find them. Additionally, some organizations have an insignificant public-facing footprint which can skew the view of their risk posture simply because there is very little to scan.
Outside-in scans are prone to identifying false positives.
One of the common criticisms of outside-in scans is their tendency to produce large numbers of false positive “findings”. This is often due to the fact that the scan, using only publicly available data, is not able to provide the context needed to thoroughly understand a potential risk. As an example, let’s imagine that a scan results in a critical finding related to an unpatched web server. This information provides some modicum of value but doesn’t paint the full picture. Can you make a fully informed decision based on this information alone? The scan cannot tell us whether this particular server was left unpatched intentionally with compensating controls in place, whether it was accidentally omitted from inventory and does present a risk, or something else. Also, the scan cannot tell you about the criticality of the data on the asset. Maybe it processes or stores mission critical data, or maybe the data will have little impact on the company being scanned if it is compromised. This type of example is exponentially compounded when you apply outside-in scanning at scale.
An outside-in scan isn’t necessarily even scanning your targeted organization.
How many companies host and manage their own website and associated domains? The plethora of full-service web hosting solutions on the market suggests that many organizations have found it more feasible to pay someone else to handle much of this task on their behalf. It is true that the risk posture of an organization’s internet-facing presence is ultimately their responsibility, whether or not they directly manage the environment. However, if the entirety of the risk data you have about an organization comes from an outside-in scan targeting one of that organization’s vendors, how much do you really know?
We believe that there is value in outside-in, risk ratings data. However, an organization that is truly committed to identifying and addressing the risks associated with third parties cannot base their decisions on this information alone. Greater depth, breadth, and richness of data is needed in order to make fully informed risk-based decisions.
DAVE STAPLETON, CISO
ERIC HALVERSON, SECURITY ENGINEER
BRI GROVES, SECURITY ANALYST