Subtotal: $0.00
Frequently Asked Questions
1. What is the Cyber Exposure Index (CEI)?
Cyber Intelligence House’s Cyber Exposure Index (CEI) looks at the amount of cyber exposure within a group of organisations in a market. CEI looks at three variables relevant to all organisations:
- 1. Disclosure of sensitive information;
- 2. Exposed credentials;
- 3. Hacker group targeting towards the organisation.
1.1. What is disclosure of sensitive information?
Sensitive information is information that should be protected from unauthorized access. It is called sensitive because its disclosure could be harmful. Examples of different types of sensitive information are: confidential messages, business secrets like internal source code, or governmental classified data. The disclosure of sensitive information can result in reputational damage, identity theft, regulatory fines and both civil and criminal penalties and state statutes.
1.2. What are exposed credentials?
Exposed credentials are usernames, passwords (and the combinations of these), tokens or other identifiers that enable access to restricted systems. Exposed credentials are the most popular route by which hackers gain access to a system through password reuse attacks. This information can come from breached systems or information leaks, the content of which might be made available for free or for sale. In many countries, the law requires organisations to notify individuals whose credentials have been breached.
1.3. What is hacker group targeting?
Hacker groups such as Anonymous are loosely associated international networks of activists and ‘hacktivists’. They organise attack campaigns that begin with a published manifesto – a statement explaining the reason for the attack – followed by target lists and communications regarding how to perform the attack. When hacker groups target organisations, this indicates an intentional attempt to break into their systems or to perform ‘denial of service’ attacks that cause downtime for critical systems. Hackers also target individuals within the organization by using target lists of interesting people and user profiles. Whether attack groups are successful or not depends on the target organisation’s security posture and the participating hacktivists’ skills and tools.
1.4. We are being targeted by hacker groups. Why should this lower our score as it is not our fault/it is beyond our control?
In fact, all variables are beyond company control as they have happened already. What companies can do, however, is to understand what drives exposure and reduce it in the future. Typically companies invest into security by making new cyber security policies, training their staff and implementing new security technologies.
1.5. What is the typical information stolen from a listed company?
Information regarding mergers and acquisitions. Databases and registers. Business and project plans. Internal memos. Credentials. Personal credit card numbers. Most of the companies affected are unaware that they are have experienced data breach before the data is being sold and exploited.
2. How is CEI calculated?
The firm-specific CEI score is calculated from the number of findings and their risk types. You can read the complete description in our white paper above.
3. How should I interpret the results?
Companies are given exposure score based on identified risk divided by employee count on last 12 months. High level view of exposure is shown for the last 18 months. Score ranges from 0 to 300+. Companies with no exposure during the past 12 months have score 0. Companies that have score 300+ represent the top 10% most exposed companies.
300+
Score: Extreme Exposure. Typically the organisation has already been breached at this level.
Risk: Compliance, reputation & operative
Recommendation: Conduct immediate asset discovery, vulnerability management and exposure assessment. Start incident reponse procedures and perform follow-ups. Immediately notify data protection and compliance officers and prepare for crisis communications.
Risk: Compliance, reputation & operative
Recommendation: Conduct immediate asset discovery, vulnerability management and exposure assessment. Start incident reponse procedures and perform follow-ups. Immediately notify data protection and compliance officers and prepare for crisis communications.
200-300
Score: Very High Exposure. Typically the organisation has either been breached, or hacker groups are actively targeting it.
Risk: Compliance, reputation & operative
Recommendation: Conduct immediate asset discovery, vulnerability management and exposure assessment. Immediately notify data protection and compliance officers and prepare for crisis communications
Risk: Compliance, reputation & operative
Recommendation: Conduct immediate asset discovery, vulnerability management and exposure assessment. Immediately notify data protection and compliance officers and prepare for crisis communications
100-200
Score: High Exposure. Typically the organisation has a large amount of exposed clients, accounts and data at this level.
Risk: Compliance & operative (emerging risks like phishing and targeted attacks)
Recommendation: Conduct immediate asset discovery, vulnerability management and exposure assessment. Notify data protection and compliance officers.
Risk: Compliance & operative (emerging risks like phishing and targeted attacks)
Recommendation: Conduct immediate asset discovery, vulnerability management and exposure assessment. Notify data protection and compliance officers.
0-100
Score: Moderate Exposure. Typically the organisation has a moderate amount of exposed clients, accounts and data at this level.
Risk: Compliance & operative
Recommendation: Conduct exposure assessment to discover the exposure’s content and impact. Immediately notify data protection and compliance officers.
0
Score: Low Exposure. Typically the organisation has no automatically identified exposure risks. Some organisations usually discover exposure by using a wider range of search criteria.
Risk: Compliance
Recommendation: Conduct exposure assessment if there are unidentified events matching the given domain names. We advise monitoring the organisation’s cyber exposure as well as personal accounts. We do provide a free tool, Hacker for Business, for this purpose
Risk: Compliance
Recommendation: Conduct exposure assessment if there are unidentified events matching the given domain names. We advise monitoring the organisation’s cyber exposure as well as personal accounts. We do provide a free tool, Hacker for Business, for this purpose
4. Where is the data for the CEI calculation collected from?
The Cyber Exposure Index is based on data collected from publicly available sources in the dark web and deep web and from data breaches. From that data, signs of sensitive disclosure, exposed credentials and hacker group activity against a company are identified. We automatically identify the types of data being exposed and verify their validity before the results end up in the CEI.
4.1. What is the dark web?
Publicly available search engines such as Google only cover a limited portion of the Internet. This is the visible part that we call the surface web. Where the surface web ends, the deep web begins. This is everything you can potentially access with your browser that is not indexed by search engines. This could be your e-mail accounts, intranet, leak platforms, some discussion forums, private blogs and so forth. The dark web refers to a technology that makes surfing sessions more private – technically, ‘anonymous’. These technologies include TOR and I2P and other. In TOR, for example, there are seven layers of encryption before a data packet reaches the desired host. As a result, no-one will be able to identify who is surfing darkweb, where his traffic originates from, or where the servers are that the person is using.
4.2. What is the deep web?
The deep web, sometimes called the invisible web, is the large part of the Internet that is inaccessible to conventional search engines. Deep web content includes email messages, chat messages, private content on social media sites, electronic bank statements, electronic health records and other content that is accessible over the Internet but is not crawled and indexed by search engines.
4.3. What is the relationship between the Cyber Exposure Index and Cyber Intelligence House?
CEI is an independent research project that compares three areas of exposure: disclosure of sensitive information, exposed credentials and hacker group targeting. CEI results are based on data collected by Cyber Intelligence House. CIH’s services go beyond this scope and they also include other areas of exposure such as internal data breaches, external data breaches, black market activity, financial information and personally identifiable information (PII).
5. What data is used to calculate CEI for my company?
The Cyber Exposure Index is based on data collected from publicly available sources in the dark web, deep web and data breaches. From that data, signs of sensitive disclosure, exposed credentials and hacker group activity against a company are identified. We also use publicly available data such as company employee count, benchmark industry and primary domain names as parameters for calculating the score.
6. Will CEI publish any sensitive, leaked information about my company?
No, we only publish summary data. Only the CEI is published, which represents the amount of cyber exposure by a certain organisation, industry or country. The information used in the CEI calculation is collected from publicly available sources in the dark web, deep web and data breaches.
7. How can I get details of the leaked information about my company?
Typically companies use outsourced exposure monitoring services or employ dedicated teams for this purpose.
8. How long has CEI been in place?
The first CEI was be published in September 2017. The first version of the CEI was based on findings during the previous 12 months.
9. How often is CEI published?
CEI will be updated regularly four times a year.
10. Which companies are included in CEI?
The Cyber Exposure Index is a comparable rating given to all listed companies in certain countries.
11. My company is not listed. Can I still get a score?
CEI is automatically calculated for listed companies, but all companies can get details about their cyber exposure. See Question 7 ‘How can I get details of the leaked information about my company?’
12. Is CEI internationally comparable?
Yes. The methodology is uniform across all countries. CEI is a new instrument for measuring cyber exposure and for comparing its volume and severity between companies, industries and countries.
13. How can companies enhance their CEI? What are companies doing right to get a low score? What do companies need to change to avoid high scores?
The methodology in CEI is uniform across all countries. CEI is a new instrument for measuring cyber exposure and for comparing its volume and severity between companies, industries and countries. Typically companies invest into security by making new cyber security policies, training their staff and implementing new security technologies.
14. Can you tell us how your index is a first in the industry?
For the first time in history, cyber exposure has been explicitly defined and a comparable model has been developed. This model allows comparison of companies worldwide, apples to apples, in an independent way.