When I worked as a cybersecurity consultant at one of the Big Four auditing and professional services firms, I got a front-row seat to the security challenges facing enterprises today. I learned to be skeptical of the cyber maturity of the “big guys,” or the large and well-established enterprises that are connected to the daily lives of millions. While working with clients of all sizes across multiple industries, I realized very few organizations have even a decent grip on their actual cybersecurity posture.
This is not to discredit the efforts of the cyber teams I worked with. I met some exceptionally motivated and gifted cybersecurity experts, both on my internal team and client teams. But even the most skilled security professionals will be limited by their tools and the data available to them.
Based on the work with those clients, I saw three large challenges confronting enterprises trying to reduce their network attack surface and attain next-level cyber maturity:
1. No One Has an Accurate Asset Inventory
Completeness and accuracy must both be confirmed characteristics of any critical dataset when conducting an IT audit (supporting the traditional audit completed by an army of accountants). When it comes to a cybersecurity assessment, however, completeness and accuracy of something as fundamental as a master IP list are vaguely questioned and difficult to validate. Again, this is for no lack of effort on the part of the internal security teams or failure to appropriately prioritize inventorying assets.
At my former employer, we had a relatively mature client that brought us into inventory their internal databases containing customer information. While working on documenting their known assets in a central repository, we found that many assets that were no longer being used and needed to be removed. We also found many critical assets that weren’t in any repository and weren’t being tracked at all.
At this organization and others I worked with, I saw it was incredibly difficult for organizations to manage their Master IP lists unless they put in a significant investment of limited resources that usually needed to be dedicated to top security initiatives.
2. No One Has a Firm Grasp of Asset Ownership
Without a designated asset owner, there’s no one to point to when vulnerabilities need to be managed. This is a disappointingly common problem for most organizations.
Employees will do things like spin up infrastructure for a temporary project and forget to take it down, and then move on to a new role or leave the company without transitioning ownership.
One of my clients, a large public utility, was incredibly robust when it came to compliance, and probably one of my two most mature clients from a security standpoint. But even they struggled to identify asset owners.
Without a clear, designated owner, potential owners would often try to shrug off any responsibility — perceived or real — with “owning” an asset, and point to someone else to manage the issue. This left us running in circles trying to pin down who actually used the asset and had the responsibility to manage its security.
3. Exposures Are Left Open On the Public Internet
An open port is a vulnerable port, and we can’t protect what we don’t know about. Unknown network openings can be a fast track to valuable data for a skilled adversary, or for creating chaos for an unskilled adversary.
Even an attacker that has no idea what they’re actually doing can cause chaos and create significant business interruptions for the business they’ve infiltrated. While pentesting a high-traffic transit center with a team of experienced pentesters, we accidentally knocked over their entire CCTV system with a lightweight port scan, killing video cameras across a significant portion of the installation. When this happened, the somewhat spooked CISO came to us and asked if we had been attacking that segment of the network, expecting us to say we were attempting some sort of invasive exploit.
Unfortunately, the CCTV software was just extremely fragile, and couldn’t handle this network discovery method. Anyone testing a network (authorized or not) will be performing lightweight scanning like this. It’s one of the first steps you take when you’re looking for potential vulnerabilities in a network. Were an attacker to infiltrate the network and knock these systems offline, it would probably create a significant diversion for larger attacks happening elsewhere in the network.
Attackers find their way into seemingly secure networks all the time using openings on forgotten assets, and the consequences can be dire, whether an attacker is sophisticated or an absolute script kiddie.
As a consultant, I would have had far more peace of mind if my clients had been using Expanse Expander. The IP audit that is part of our enterprise customer engagements offers tremendous value not only from the perspective of a pentester but also for an assessor. When working to identify whether clients were compliant according to a given security framework or regulation, knowing they had a third party looking at their network from the outside, in, and were able to provide proof of consistent asset monitoring, would have made it significantly easier for my teams to draw an accurate picture of the client’s cyber maturity.
Given the level of weight carried by our sign-off on the compliance of a client, our due diligence efforts were often extremely labor-intensive and expensive for the client. If we had had a trusted view of the complete attack surface for our client and confidence their assets were being appropriately monitored, we would have been able to apply our stamp of approval and move on to the unique problems our clients needed our help with the most.