Whitepaper: How cyber exposure works
In this digitalized world we live in, data is the new currency and driver for all businesses. This change in business landscape presents new risks and threats to be remediated. Cyber Exposure Index is the first step in this remediation and mitigation process by identifying existing threats and making them transparent.
The Cyber Exposure Index is based on data collected from publicly available sources in the dark web, deep web and data breaches. From that data, signs of sensitive disclosure, exposed credentials and hacker group activity against a company are identified. Companies are ranked based on the number of findings and the risk that the findings represent.
Cyber Exposure Index variables
1. Sensitive disclosure
Sensitive information is typically regulated by laws and policies and should never be stored on your computer’s hard drive, on a portable device, or sent via email without proper authorisation.
Typical sensitive information consists of internal emails, discussions and confidential matters, such as business plans, company valuations and trade secrets.
The disclosure of sensitive information can result in identity theft, regulatory fines and civil as well as criminal penalties under federal and state statutes.
2. Exposed credentials
Exposed credentials are usernames, passwords and their combinations, tokens or other identifiers that enable access to restricted systems. Exposed credentials are the most popular way by which hackers gain access to a system due to password reuse attacks.
This information can come from breached systems or information leaks, the content of which might be available for free or for sale. In many countries, the law requires organisations to notify individuals whose credentials have been breached.
3. Hacker group targeting
Hacker groups such as Anonymous are loosely associated international networks of activists and hacktivists. They organise attack campaigns that begin with a published manifesto, a statement explaining the reason for the attack, followed by target lists and communications about performing the attack.
When hacker groups target organisations, this indicates an intentional attempt to break into their systems or perform denial of service attacks that cause downtime for critical systems.
Risk is calculated using different variables such as identified clear text passwords, hashed passwords, phishing target lists, hacker group target lists, source code, email messages and internal documents.
Clear text (human-readable) passwords are considered to be high-risk, as at least 43% of people will reuse their password as is.
Hashed passwords are considered to be medium-risk, as they cannot be used directly; however, breaches of hashed passwords have occurred, and so far, most of the hashes have been cracked after being published.
Individuals on a target list is considered to be low-risk, as it translates to an increased risk of phishing attacks however these findings alone do not provide information about the success of those attacks—only the attempt.
Being a company on a target list is considered to be high risk, as it will lead with almost 100% certainty to web application attacks and DDOS attacks. The success rate of these attacks varies from company to company.
Sensitive disclosure concerns internal documents and emails. It can result not only from hacking but also from the actions of rogue employees or stakeholders. The risk is medium-level, as it has already happened, but the impact varies case by case. However findings of any source code is considered as high risk as it indicates internal breach accurately.
Cyber Exposure Score
Accumulated risk reflects the sum total of indicated risk (shown in the first graph) over the course of the preceding 12 months. For comparisons of different organisations, we also use a cyber exposure score that is calculated by dividing indicated risk by the number of the organisation's employees.
- Score: Extreme Exposure. Typically the organisation has already been breached at this level.
- Risk: Compliance, reputation & operative
- Recommendation: Conduct immediate asset discovery, vulnerability management and exposure assessment. Start incident reponse procedures and perform follow-ups. Immediately notify data protection and compliance officers and prepare for crisis communications.
- Score: Very High Exposure. Typically the organisation has either been breached, or hacker groups are actively targeting it.
- Risk: Compliance, reputation & operative
- Recommendation: Conduct immediate asset discovery, vulnerability management and exposure assessment. Immediately notify data protection and compliance officers and prepare for crisis communications
- Score: High Exposure. Typically the organisation has a large amount of exposed clients, accounts and data at this level.
- Risk: Compliance & operative (emerging risks like phishing and targeted attacks)
- Recommendation: Conduct immediate asset discovery, vulnerability management and exposure assessment. Notify data protection and compliance officers.
- Score: Moderate Exposure. Typically the organisation has a moderate amount of exposed clients, accounts and data at this level.
- Risk: Compliance & operative
- Recommendation: Conduct exposure assessment to discover the exposure’s content and impact. Immediately notify data protection and compliance officers.
- Score: Low Exposure. Typically the organisation has no automatically identified exposure risks. Some organisations usually discover exposure by using a wider range of search criteria.
- Risk: Compliance
- Recommendation: Conduct exposure assessment if there are unidentified events matching the given domain names. We advise monitoring the organisation’s cyber exposure as well as personal accounts. We do provide a free tool, Hacker for Business, for this purpose
About Research Group
Models used in Cyber Exposure Index are developed by an independent research group. CEI Research group consists of security researchers and academic professionals from the industry, Singapore Management University, National University of Singapore, INSEAD and Tampere University of Technology. Data for the research is provided by Cyber Intelligence House, Singapore based cyber intelligence company.
About Cyber Intelligence House
Cyber Intelligence House makes cyber risks visible. Based in Singapore, we help organizations understand their cyber risks by discovering their current cyber exposure. Founded by seasoned professionals with over 20 years’ experience in the cybersecurity field, CIH partners with universities and law enforcement such as Interpol in information sharing and training.