5 Common Visibility Gaps Your Enterprise Security Plan Can’t Afford


October 25, 2018, Team RiskIQ

Today’s cybersecurity challenges are unlike anything we’ve seen before. Your organization’s IT infrastructures now consist of the traditional network—employee laptops, desktops, various operating software, storage platforms and servers, cloud storage—plus an entirely new attack surface made up of a myriad of assets that exist outside the firewall.

As your enterprise adapts to an ever-changing IT complexity, we at RiskIQ have identified five common enterprise security gaps facing most enterprises today:

  • Third-Party Components
  • Mobile Apps
  • Domain and Subdomain Infringement
  • Frameworks
  • Shadow IT

Enterprises must be able to quickly see what’s happening on the open internet and client-facing assets, but this isn’t always easy to do (and they don’t always know where to look). How can you possibly keep up with all of the threats you’re facing and make sure to fill in the essential gaps? In this article, we’ll look at the top-five most prevalent issues your organization is facing today.

5 Enterprise Security Visibility Gaps Where Organizations Are Lacking

1. Third-Party Components (Supply Chain Attacks)

The first and most topical area we’ll examine is supply chain attacks. We’ll focus on third-party components—elements of your website that don’t belong to you and aren’t under your purview, which may be compromised upstream or left out of date: analytics code, JavaScript libraries, and plugins like e-commerce software.

Why Third-Party Components are Vulnerable and Why Organizations Block Visibility

Third-party components can quickly become vulnerable without your organization’s knowledge for one simple reason: you’re not part of their upkeep.

For example, let’s say your e-commerce site is using a shopping platform such as Magento, which has been exploited by a Magecart hack. Magento is responsible for its own security, but if even if one attempt gets through and the code becomes vulnerable or hacked, you as an organization have no control over that access point—your site may also be compromised. There is virtually nothing you can do to guarantee that a partner’s system is up to date and secure at all times.

This is where RiskIQ comes in.

We can alert you when something (such as a plugin) is compromised so that you can address the vulnerability immediately. No available security application can entirely eliminate this risk—nothing your firewall, antivirus or vulnerabilities scanners can mitigate preemptively. However, you can monitor dependencies to take action as soon as one of them becomes a danger to your organization.

How RiskIQ Discovers Compromised Third-Party Entities

At RiskIQ, we’re able to inventory and monitor all resources and sub-resources of your web pages.

We create this inventory by crawling the internet and storing the elements of each page, including its document object model (DOM). We then back up this historical data over time for reference. When something changes, we—and you—are instantly alerted to it.

The client-facing side of a website is entirely out of sight and out of mind with most traditional security efforts. As an example, if the existing JavaScript on your company’s site is compromised, no one would likely notice if it doesn’t affect the functionality of the site. However, in reality, though there might not appear to be anything broken on the client side, the site may have been compromised for weeks.

In the event you’re using RiskIQ, you would be alerted immediately. With RiskIQ data, you can inventory your company website’s subresources, including the JavaScript and the commerce software on a site, which allows us to monitor and find changes so you can react to them in real time.

2. Mobile Apps: Rogue and Fraudulent Branding in App Stores Around the World

The mobile ecosystem is another threat landscape that provides attackers direct access to brands, employees, and consumers. There are thousands of new apps going up every day spread across the entirety of the web, including hundreds of legitimate and illegitimate app stores, so it’s understandably hard for organizations to map and monitor their mobile presence.

Example: An Enterprise Security Gap in Mobile Apps

While official mobile apps can be hacked or duplicated by attackers,  even brands that don’t have an official app can be targeted as well.

The example we’ll use to illustrate this comes from years ago in a client meeting. They sat down with us at RiskIQ and told us they didn’t have any mobile apps, and therefore didn’t need to worry about the security of their mobile presence. We explained to the client that, in reality, they did—we had found hundreds of unsanctioned apps leveraging their brand. They were shocked because they had no visibility into that aspect of their attack surface.

Many of these apps get users to think that the app is legitimate, when in fact it doesn’t do anything it purports to do and can even contain malware or adware. When a user believes that the app is associated with a particular brand, the threat actors who were building those apps are benefiting, and the unhappy user associates their bad experience with the unlucky brand with which they thought they were interacting.

How RiskIQ Addresses These Issues

We monitor Google Play, Apple App Store, and more than 150 other app stores around the world to uncover rogue mobile apps and intelligently sort legitimate apps from modified versions, unauthorized fakes, and look-a-likes. We go beyond just the title and description, automatically analyzing all app content and code to discover logos, brand references, and malicious code hidden within app files and track app versions and correlate apps across stores for efficient management and enforcement of related incidents.

3. Domain and Subdomain Infringement: Phishing Attacks Impersonating Brands

At RiskIQ, we have found that visibility into domain and subdomain infringement is a common gap and vital area to enterprise security. Threat actors create domains that share a nearly identical appearance to the official, legitimate one to use in their phishing campaigns. 

For example, threat actors have registered a domain that is nearly identical in appearance to a bank. If someone accidentally typed in a domain typo, they would land on the phishing page made to look exactly like the legitimate one. Because of the similarity in appearance, they wouldn’t know they had inadvertently arrived at the wrong destination.

From there, the person would enter their banking credentials to log in. The threat actors behind the site would then have the client’s credentials on hand to do with as they please.

How RiskIQ Combats Domain Infringement

As previously mentioned, at RiskIQ, we continuously scan the Internet for fraudulent activity targeting your organization. We automatically monitor all suspicious domains and subdomains related to your brands for changes in content or behavior presented to site visitors every 48 hours, or instantly whenever a Whois or DNS change occurs on the domain between scheduled checks. These observed changes prompt users to re-review previously seen threats against which no action was previously taken, but may now warrant a different response based on changed risk level.

4. Frameworks: Out-of-Date Servers Are Susceptible to Attacks

All the different things running on a server, such as Apache versions, JavaScript, or even .net, are similar to the third-party components described above in that when they’re out of date or are vulnerable, that means that you’re vulnerable, too.

In terms of investigating gaps for your enterprise security plan as they relate to server frameworks, at RiskIQ we focus on both out-of-date frameworks and the typical tendency of an organization to disregard necessary and consistent software updates. 

Despite your best efforts, however, even the most up-to-date framework can become vulnerable. It’s then up to your organization to update the affected framework and patch up the vulnerability as quickly as possible.

How Dangerous are Out of Date Frameworks?

This is a good question and one that we’re occasionally asked. The quick answer is very. Here are a few well-known names that demonstrate the risk: Heartbleed, Wannacry, Petya, and Not Petya—just to name a few. Every one of these high profile attacks resulted in hundreds of millions in losses and were caused by unpatched servers.

Organizations should be concerned with compliance fines, financial liability, and material loss of customer confidence through theft of data or fraud, as well as the cost of the access to and resumption of their data and systems as well, which can be held hostage by automated ransomware attacks at internet scale.

The issue, of course, is visibility. It is tough for a large organization to be 100% aware of every version on every server, and unfortunately, server misconfiguration is all too common.

There are quick options to help with this task, but many of them fall short. The challenge is being able to find the needle in the haystack and proactively identify which framework poses the most severe risk. It’s a dangerous numbers game to try and determine which thousand of these patches are a priority and will dramatically reduce the risk to your organization.

How You Can Identify Your Risky Infrastructure

RiskIQ provides actionable visibility. We show you what you have, where, and detail the risks so that you can pass it off to your testing team and make necessary updates. Once you have an accurate and current picture of your digital footprint—including the components running on your assets—frameworks and web applications running on your external assets—it is far easier to understand and execute problem-resolution techniques to ensure that your external assets remain secure. This inventory of your assets is also critical for compliance with numerous industry and government regulations.

5. Shadow IT: Assets Created by Groups Outside the Scope of the Security Team Can Be Forgotten About or Improperly Configured

Anything that is outside the awareness of your security team is referred to as “Shadow IT.” It’s an information-technology system or solution built and utilized by some part of an organization without specific security or IT approval. There is no real way that you can monitor it or know about it. Marketing is a typical, well-meaning culprit in the creation of these assets, simply because new campaigns and content are continually being created and then left on the same server, often entirely forgotten about.

For example, your HR team puts together a recruiting website for a specific job event or hiring initiative using a rough and ready CMS, so they don’t have to “bother” IT or Programming. Several months post-event they might forget about the digital assets they created, but it is still running on the company server. Over time that CMS becomes out of date and vulnerable becoming an easy target for hackers.

How RiskIQ Identifies These Assets

Our extensive digital footprint provides global visibility. Meaning, we can discover precisely what belongs to your organization and layering on 10+ years worth of historical internet data, RiskIQ customers have visibility into attacks ranging from the deep and dark web to the surface web and the analytics necessary to receive the most relevant, real-time alerts that inform and enable quick and decisive action.

These common gaps are simply ones your enterprise security plan can’t afford to ignore. We hope this article gave you useful insight into what is happening behind the scenes of your organization’s security.

What are you doing to combat threats faced by your organization? RiskIQ is a world leader in digital threat management. Contact us today to learn more about how we can fill in your enterprise security gaps and protect your assets.

Share: