Whitepaper: How cyber exposure works

In this digitalized world we live in, data is the new currency and driver for all businesses. This change in business landscape presents new risks and threats to be remediated. The Kinkayo Cyber Exposure Index is the first step in this remediation and mitigation process by identifying existing threats and making them transparent.

The Cyber Exposure Index is based on data collected from publicly available sources in the dark web, deep web and data breaches. From that data, signs of sensitive disclosure, exposed credentials and hacker group activity against a company are identified. Companies are ranked based on the number of findings and the risk that the findings represent.

Cyber Exposure Index variables

Sensitive disclosure
Sensitive information is typically regulated by laws and policies and should never be stored on your computer’s hard drive, on a portable device, or sent via email without proper authorisation. Typical sensitive information consists of internal emails, discussions and confidential matters, such as business plans, company valuations and trade secrets. The disclosure of sensitive information can result in identity theft, regulatory fines and civil as well as criminal penalties under federal and state statutes.

Exposed credentials
Exposed credentials are usernames, passwords and their combinations, tokens or other identifiers that enable access to restricted systems. Exposed credentials are the most popular way by which hackers gain access to a system due to password reuse attacks. This information can come from breached systems or information leaks, the content of which might be available for free or for sale. In many countries, the law requires organisations to notify individuals whose credentials have been breached.

Hacker group targeting
Hacker groups such as Anonymous are loosely associated international networks of activists and hacktivists. They organise attack campaigns that begin with a published manifesto, a statement explaining the reason for the attack, followed by target lists and communications about performing the attack. When hacker groups target organisations, this indicates an intentional attempt to break into their systems or perform denial of service attacks that cause downtime for critical systems. Whether attack groups are successful or not depends on the target organisation’s security posture and the participating hacktivists’ skills and tools.

Risk classification

Risk is calculated using different variables such as identified clear text passwords, hashed passwords, phishing target lists, hacker group target lists, source code, email messages and internal documents.

Clear text (human-readable) passwords are considered to be high-risk, as at least 43% of people will reuse their password as is.

Hashed passwords are considered to be medium-risk, as they cannot be used directly; however, breaches of hashed passwords have occurred, and so far, most of the hashes have been cracked after being published.

Individuals on a target list is considered to be low-risk, as it translates to an increased risk of phishing attacks however these findings alone do not provide information about the success of those attacks—only about the attempt.

Being a company on a target list is considered to be medium-risk, as it will lead with almost 100% certainty to web application attacks and DDOS attacks. However, the success rate of these attacks has not been as high as the risk.

Sensitive disclosure concerns internal documents, emails and source code. It can result not only from hacking but also from the actions of rogue employees or stakeholders. The risk is medium-level, as it has already happened, but the impact varies case by case.

How companies are ranked in this index

Company ranking is relative to global scoring that is populated from 11 stock exchanges worldwide and fortune 500 companies. Each company gets exposure score based on the variables and risks they represent. Exposure scores are then distributed to 5 categories statistically.

Category 5: Companies in this category are ranked in the 1% of companies with the most exposure.

Category 4: Companies in this category are ranked are ranked in the 25% of companies with the most exposure.

Category 3: Companies in this category are ranked in the 50% of companies with the above average exposure.

Category 2: Companies in this category are ranked in the 50% of companies with the below average exposure.

Category 1: Companies in this category are ranked in the 25% of companies with the least exposure.

Category 0: Companies in this category have no visible exposure in the past 12 months.

 

About Research Group

Models used in Cyber Exposure Index are developed by an independent research group.
CEI Research group consists of security researchers and academic professionals from the industry, INSEAD, National University of Singapore, University of Stirling and Tampere University of Technology.
Data for the research is provided by Kinkayo, Singapore based cyber intelligence company.

About Kinkayo

Kinkayo makes cyber risks visible. Based in Singapore, we help organizations understand their cyber risks by discovering their current cyber exposure. Founded by seasoned professionals with over 20 years’ experience in the cybersecurity field, Kinkayo partners with Interpol in information sharing and training.

 

 

CYBER EXPOSURE INDEX Q&A

1. What is the Cyber Exposure Index (CEI)?

Kinkayo’s Cyber Exposure Index (CEI) looks at the amount of cyber exposure within a group of organisations in a market. CEI looks at three variables relevant to all organisations:

 

1) disclosure of sensitive information;

2) exposed credentials; and

3) hacker group targeting towards the organisation.

 

1.1. What is disclosure of sensitive information?

Sensitive information is information that should be protected from unauthorized access. It is called sensitive because its disclosure could be harmful. Examples of different types of sensitive information are: personally identifiable information (PII), confidential messages, business secrets or governmental classified data. The disclosure of sensitive information can result in reputational damage, identity theft, regulatory fines and both civil and criminal penalties under federal and state statutes.

 

1.2. What are exposed credentials?

Exposed credentials are usernames, passwords (and the combinations of these), tokens or other identifiers that enable access to restricted systems. Exposed credentials are the most popular route by which hackers gain access to a system through password reuse attacks. This information can come from breached systems or information leaks, the content of which might be made available for free or for sale. In many countries, the law requires organisations to notify individuals whose credentials have been breached.

 

1.3. What is hacker group targeting?

Hacker groups such as Anonymous are loosely associated international networks of activists and ‘hacktivists’. They organise attack campaigns that begin with a published manifesto – a statement explaining the reason for the attack – followed by target lists and communications regarding how to perform the attack. When hacker groups target organisations, this indicates an intentional attempt to break into their systems or to perform ‘denial of service’ attacks that cause downtime for critical systems. Whether attack groups are successful or not depends on the target organisation’s security posture and the participating hacktivists’ skills and tools.

 

1.4. We are being targeted by hacker groups. Why should this lower our score as it is not our fault/it is beyond our control?

In fact, all variables are beyond company control as they have happened already. What companies can do, however, is to understand what drives exposure and reduce it in the future.

Hacker groups target companies due, for instance, to issues with their reputation, responsibility or ethics.

 

1.5. What is the typical information stolen from a listed company?

Information regarding mergers and acquisitions. Databases and registers. Business and project plans. Internal memos. Credentials. Personal credit card numbers. Most of the companies affected are unaware that they are facing data breaches.

 

2. How is CEI calculated?

The firm-specific CEI score is calculated from the number of findings and their risk types. You can read the complete description in our white paper above.

 

3. How should I interpret the results?

Companies are ranked based on their risk score. On Level 5 are the top 1% or the most exposed companies. Thus, Level 4 contains the next 24% most exposed companies and so on. At level 0 there is no exposure in the past 12 months.

 

0 – No exposure

1 – 25% lower end of exposure

2 – 25% less than average exposure

3 – 25% more than average exposure

4 – 24% higher end of exposure

5 – top 1% exposed

 

4. Where is the data for the CEI calculation collected from?

The Cyber Exposure Index is based on data collected from publicly available sources in the dark web and deep web and from data breaches. From that data, signs of sensitive disclosure, exposed credentials and hacker group activity against a company are identified.

 

4.1. What is the dark web?

Publicly available search engines such as Google only cover a limited portion of the Internet. This is the visible part that we call the surface web. Where the surface web ends, the deep web begins. This is everything you can potentially access with your browser that is not indexed by search engines. This could be your e-mail accounts, intranet, leak platforms, some discussion forums, private blogs and so forth. The dark web refers to a technology that makes surfing sessions more private – technically, ‘anonymous’. These technologies include TOR and I2P. In TOR, for example, there are seven layers of encryption before a data packet reaches the desired host. As a result, no-one will be able to identify who is surfing the web and where the servers reside. These technologies are explicitly used for surfing the deep web.

 

4.2 What is the deep web?

The deep web, sometimes called the invisible web, is the large part of the Internet that is inaccessible to conventional search engines. Deep web content includes email messages, chat messages, private content on social media sites, electronic bank statements, electronic health records and other content that is accessible over the Internet but is not crawled and indexed by search engines.

 

4.3. What is the relationship between the Cyber Exposure Index and Kinkayo?

CEI is an independent research project that compares three areas of exposure: sensitive disclosure, exposed credentials and hacker group targeting. CEI results are based on data collected by Kinkayo.

 

Kinkayo’s services go beyond this scope and they also include other areas of exposure such as internal data breaches, external data breaches, black market activity, financial information and personally identifiable information (PII).

 

5. What data is used to calculate CEI for my company?

The Cyber Exposure Index is based on data collected from publicly available sources in the dark web, deep web and data breaches. From that data, signs of sensitive disclosure, exposed credentials and hacker group activity against a company are identified.

 

6. Will CEI publish any sensitive, leaked information about my company?

No. Only the index is published, which represents the amount of cyber exposure by a certain organisation, industry or country.

 

The information used in the CEI calculation is collected from publicly available sources in the dark web, deep web and data breaches.

 

7. How can I get details of the leaked information about my company?

Typically, companies use exposure monitoring services or have dedicated teams for this.

 

8. How long has CEI been in place?

The first CEI will be published in September 2017 based on findings during the previous 12 months.

 

9. How often is CEI published?

CEI will be published regularly twice a year.

 

10. Which companies are included in CEI?

The Cyber Exposure Index is a comparable rating given to listed companies. Release schedules can be found in each country page.

 

11. My company is not listed. Can I still get a score?

CEI is automatically calculated for listed companies, but all companies can get details about their cyber exposure. See Question 7 ‘How can I get details of the leaked information about my company?’

 

12. Is CEI internationally comparable?

Yes. The methodology is uniform across all countries. CEI is a new instrument for measuring cyber exposure and for comparing its volume and severity between companies, industries and countries.

 

13. How can companies enhance their CEI? What are companies doing right to get a low score? What do companies need to change to avoid high scores?

By understanding where critical information is stored, from where is it leaking and how it is exposed. Only after this is understood can a company effectively protect itself from data breaches.

 

14. Can you tell us how your index is a first in the industry?

For the first time in history, cyber exposure has been explicitly defined and a comparable model has been developed. This model allows comparison of companies worldwide, apples to apples, in an independent way.