What is Cyber Exposure

Whitepaper: How cyber exposure works

In this digitalized world we live in, data is the new currency and driver for all businesses. This change in business landscape presents new risks and threats to be remediated. Cyber Exposure Index is the first step in this remediation and mitigation process by identifying existing threats and making them transparent.

The Cyber Exposure Index is based on data collected from publicly available sources in the dark web, deep web and data breaches. From that data, signs of sensitive disclosure, exposed credentials and hacker group activity against a company are identified. Companies are ranked based on the number of findings and the risk that the findings represent.

Cyber Exposure Index variables

1. Sensitive disclosure

Sensitive information is typically regulated by laws and policies and should never be stored on your computer’s hard drive, on a portable device, or sent via email without proper authorisation.

Typical sensitive information consists of internal emails, discussions and confidential matters, such as business plans, company valuations and trade secrets.

The disclosure of sensitive information can result in identity theft, regulatory fines and civil as well as criminal penalties under federal and state statutes.

2. Exposed credentials

Exposed credentials are usernames, passwords and their combinations, tokens or other identifiers that enable access to restricted systems. Exposed credentials are the most popular way by which hackers gain access to a system due to password reuse attacks.

This information can come from breached systems or information leaks, the content of which might be available for free or for sale. In many countries, the law requires organisations to notify individuals whose credentials have been breached.

3. Hacker group targeting

Hacker groups such as Anonymous are loosely associated international networks of activists and hacktivists. They organise attack campaigns that begin with a published manifesto, a statement explaining the reason for the attack, followed by target lists and communications about performing the attack.

When hacker groups target organisations, this indicates an intentional attempt to break into their systems or perform denial of service attacks that cause downtime for critical systems.

Risk classification

Risk is calculated using different variables such as identified clear text passwords, hashed passwords, phishing target lists, hacker group target lists, source code, email messages and internal documents.

Clear text (human-readable) passwords are considered to be high-risk, as at least 43% of people will reuse their password as is.

Hashed passwords are considered to be medium-risk, as they cannot be used directly; however, breaches of hashed passwords have occurred, and so far, most of the hashes have been cracked after being published.

Individuals on a target list is considered to be low-risk, as it translates to an increased risk of phishing attacks however these findings alone do not provide information about the success of those attacks—only the attempt.

Being a company on a target list is considered to be high risk, as it will lead with almost 100% certainty to web application attacks and DDOS attacks. The success rate of these attacks varies from company to company.

Sensitive disclosure concerns internal documents and emails. It can result not only from hacking but also from the actions of rogue employees or stakeholders. The risk is medium-level, as it has already happened, but the impact varies case by case. However findings of any source code is considered as high risk as it indicates internal breach accurately.

0
Company information, including industry, communication domains and employee counts, is fetched from stock exchanges.
1
The search for exposure is conducted based on company domain names. Anything that matches with the domain name is considered as a finding.
2
The findings are analysed by artificial intelligence algorithms to identify risks. Signs of sensitive disclosures, exposed credentials and hacker-group activity against a company are identified. Unidentified findings are not used to calculate the exposure score of a company.
3
Identified risk findings are given risk weights. Clear text passwords, attack campaigns against companies and leaked source code are considered to be high risks, encrypted passwords and sensitive disclosures have medium risks and targeted individuals (spam, phishing) considered as low risks.
4
Companies are given an exposure score based on their identified risks divided by their employee count for the last 12 months. A high-level indication of exposure is provided for the last 18 months.
5
For more detailed information, a Cyber Exposure Report can be purchased by the general public. Company findings are available for that particular company only.

Cyber Exposure Score

Accumulated risk reflects the sum total of indicated risk (shown in the first graph) over the course of the preceding 12 months. For comparisons of different organisations, we also use a cyber exposure score that is calculated by dividing indicated risk by the number of the organisation's employees.

300+

  • Score: Extreme Exposure. Typically the organisation has already been breached at this level.
  • Risk: Compliance, reputation & operative
  • Recommendation: Conduct immediate asset discovery, vulnerability management and exposure assessment. Start incident reponse procedures and perform follow-ups. Immediately notify data protection and compliance officers and prepare for crisis communications.

200-300

  • Score: Very High Exposure. Typically the organisation has either been breached, or hacker groups are actively targeting it.
  • Risk: Compliance, reputation & operative
  • Recommendation: Conduct immediate asset discovery, vulnerability management and exposure assessment. Immediately notify data protection and compliance officers and prepare for crisis communications

100-200

  • Score: High Exposure. Typically the organisation has a large amount of exposed clients, accounts and data at this level.
  • Risk: Compliance & operative (emerging risks like phishing and targeted attacks)
  • Recommendation: Conduct immediate asset discovery, vulnerability management and exposure assessment. Notify data protection and compliance officers.

0-100

  • Score: Moderate Exposure. Typically the organisation has a moderate amount of exposed clients, accounts and data at this level.
  • Risk: Compliance & operative
  • Recommendation: Conduct exposure assessment to discover the exposure’s content and impact. Immediately notify data protection and compliance officers.

0

  • Score: Low Exposure. Typically the organisation has no automatically identified exposure risks. Some organisations usually discover exposure by using a wider range of search criteria.
  • Risk: Compliance
  • Recommendation: Conduct exposure assessment if there are unidentified events matching the given domain names. We advise monitoring the organisation’s cyber exposure as well as personal accounts. We do provide a free tool, Hacker for Business, for this purpose

About Research Group

Models used in Cyber Exposure Index are developed by an independent research group. CEI Research group consists of security researchers and academic professionals from the industry, Singapore Management University, National University of Singapore, INSEAD and Tampere University of Technology. Data for the research is provided by Cyber Intelligence House, Singapore based cyber intelligence company.

About Cyber Intelligence House

Cyber Intelligence House makes cyber risks visible. Based in Singapore, we help organizations understand their cyber risks by discovering their current cyber exposure. Founded by seasoned professionals with over 20 years’ experience in the cybersecurity field, CIH partners with universities and law enforcement such as Interpol in information sharing and training.

Let us know if data is incorrect
for