Kickstarting an Integrated Risk Management Program
Addressing Shadow IT, legacy and abandoned applications for a holistic risk management program.
Gartner defines integrated risk management as “a set of practices and processes supported by a risk-aware culture and enabling technologies that improve decision making and performance through an integrated view of how well an organization manages its unique set of risks.”
The problem here is that most firms simply do not know their unique set of risks. They do not know all the applications – especially the cloud apps adopted by staff as Shadow IT – nor the risks associated with the different apps. They are often unaware of all the unsupported legacy apps still being used, nor whether necessary patches to web-facing apps have been deployed.
The first step to implementing a risk management program must necessarily be to understand and quantify the risk. This requires a full audit of the entire infrastructure estate; which is almost impossible manually and can be very expensive if outsourced. It is particularly necessary for web applications and any application that can be accessed via the internet – but the sheer size of the unknown and unprotected estate will likely shock most heads of security.
But that’s only half the problem. Quantifying actual risks for apps you didn’t know you had is equally difficult. In-house knowledge will almost certainly be lacking. External knowledge – usually in the form of threat intelligence feeds – needs to be purchased and may not match with your precise requirements.
Effective risk management is simply not as easy as it sounds.
Where hidden risk lurks
Everybody understands the term Shadow IT. It was coined to describe the web apps adopted and used by staff without the official sanction of the IT department. And what IT doesn’t know, security cannot protect.
Gartner studies have found that shadow IT is 30 to 40 percent of IT spending in large enterprises
To put this into perspective, CIO magazine reported in 2017, “Gartner studies have found that shadow IT is 30 to 40 percent of IT spending in large enterprises, and our research at Everest Group finds it comprises 50 percent or more.” This is because Cloud apps are relatively inexpensive and are increasingly being purchased by line management from their own budget without reference to IT and its budget.
Cisco has suggested that large organizations use an average of more than 1,200 apps, with more than 98% being unsanctioned
Estimates on the size of the Shadow IT problem vary. Cisco has suggested that large organizations use an average of more than 1,200 apps, with more than 98% being unsanctioned. The threat they pose – especially for lost, stolen or inadvertently exposed sensitive data – is clear. Gartner has predicted that by 2020, a third of successful attacks experienced by enterprises will be on their shadow IT resources.
By 2020, a third of all cybersecurity attacks will be carried out on Shadow IT
Another category of Shadow IT comprises exposed public cloud corporate databases – typified by unprotected AWS S3 buckets. Where a company has an AWS account it is tempting for non-IT departments to spin up an S3 storage bucket to hold large, often sensitive databases. This happens too often, with the staff involved simply and wrongly assuming that the company account will mean it is secure.
There are dozens of such examples – for example, the voter registration database for the state of Georgia (used for this year's U.S. midterm elections) was left exposed to the internet.
An even more serious example was discovered by Chris Vickery in June 2017. He found a huge unprotected S3 repository that included details of 198 million American voters. It had apparently been left there by contractors working for the U.S. Republican party.
GrayhatWarfare was reporting that he had found 48,623 open S3 buckets
But despite the publicity surrounding such cases, the problem is not improving. In July 2018, the software engineer known GrayhatWarfare was reporting that he had found 48,623 open S3 buckets. At the time of writing this, he is reporting 48,582 open buckets containing 20 million ‘interesting’ files.
If the security department is made aware of these storage repositories it can very easily protect them.
Legacy applications also harbor unquantified risk. Legacy apps can be known to the security team, unknown and lost in the system, or even part of Shadow IT (if, for example, a departmental website adds a plug-in to its CMS that subsequently becomes legacy). The two key points to a legacy app are that it is still used by the organization, but unsupported by the developer. Without support, any newly discovered vulnerability will remain unpatched and a hidden risk introduced to the company.
Legacy applications and their problems are discussed at some length here. The questions for us in this post are how large the problem is, and whether all legacy apps are known. The answers are ‘huge’ and ‘no’.
Eighty-nine per cent of UK IT executives admitted to knowingly allowing legacy applications to continue operating
A study conducted in June 2018 by Macro 4, a division of UNICOM Global, discovered that legacy applications have a huge presence within today’s businesses. Eighty-nine per cent of UK IT executives admitted to knowingly allowing legacy applications to continue operating.
Legacy CMS plug-ins are potentially worse – for example, nearly a third of all WordPress plug-ins can be considered legacy and unsupported by their author.
Once again, security teams can risk manage these problems and mitigate the risk by, for example, migrating to an alternative non-legacy app, or moving the app into the cloud, or otherwise segmenting it away from anything critical on premise. But once again, only if they know about all the legacy apps being used.
Discovering the risk
Put very simply, a risk management approach to cybersecurity can only be successfully implemented if the security team is aware of the hidden risks within the organization’s IT infrastructure. There are several tools available that can help find the visible web-facing risks – but one of the most complete offerings is the suite of free tools available from High-Tech Bridge.
In October 2018, High-Tech Bridge used these non-intrusive free web analysis tools to examine the web exposure of 1000 of the world's largest companies (the FT U.S. 500 and the FT Europe 500). The implication is that many of the risks discovered by High-Tech Bridge will be unknown to the organizations – or they would have been fixed in a risk managed environment.
The tools used by High-Tech Bridge researchers were
The scale of what they discovered is surprising.
- 70% of FT 500 can find access to some of their websites being sold on Dark Web
- 92% of external web applications have exploitable security flaws or weaknesses
- 19% of the companies have external unprotected cloud storage
- only 2% of external web applications are properly protected with a WAF
- Every single company has some non-compliances with GDPR
each large U.S. company has an average of 85 applications is discoverable and poorly protected
But the detail is even worse than the headlines. For example, each large U.S. company has an average of 85 applications that can be easily discovered externally and are not protected by 2FA, strong authentication or other security.
“The research has clearly demonstrated that abandoned and unmaintained applications are a plague of today," comments High-Tech Bridge CEO Ilia Kolochenko. "Large organizations have so many intertwined websites, web services and mobile apps that they often forget about a considerable part of them. Legacy applications, personnel turnover, lack of resources, outsourcing and offshoring exacerbate the situation.
"On the other side, cybercriminals are well organized and very proactive. As soon as a new vulnerability is discovered in a popular CMS - they instantly start its exploitation in the wild, leaving cybersecurity teams virtually with no chance. Some hacking teams and cybercrime gangs will even patch your web application just after the breach – to preclude others from getting in. Therefore, if you don’t patch your web applications – bad guys will do this for you.”
Full details of the research can be found here in the report itself. But the sheer scale of these problems leads to another: how can overworked and understaffed security teams prioritize which vulnerabilities need to be fixed with urgency, which can be left until later, and which risks can potentially be accepted?
In short, an effective risk management program must first locate the risks, and then prioritize tackling them.
Prioritizing risk in a risk management program
In October 2018, High-Tech Bridge announced its new artificial intelligence- and machine learning-augmented product, AI Discovery. It can be used to rank the potential severity of the risks discovered by the web scanning tools; and can consequently be used to develop a road map for security teams to implement effective risk management.
The web scanning tools discover the risks, while AI Discovery prioritizes them.
It rates the discovered vulnerabilities against a proprietary Big Data repository of 853,783,291 samples of web vulnerabilities, weaknesses, breaches and misconfigurations.
ImmuniWeb® AI Discovery, will provide a vulnerability priority roadmap
It provides two scores (each in the range of 0 to 99) for 'hackability' and 'attractiveness'. The Hackability Score is a rating on how easy the vulnerability can be exploited. The Attractive Score is an estimation on how attractive the application is to the average cybercrime group. Vulnerabilities and risks that return two high scores need to be prioritized. Those with lower scores can be dealt with later; and those with two very low scores may even represent a risk to be accepted.
By mapping high scores against the organization’s most important or sensitive information assets, the security team gets an effective and detailed indication on how to manage organizational data risk.
ImmuniWeb® AI Discovery could have warned Equifax that it had an unpatched Struts implementation, it could tell organizations about their exposed sensitive databases – and it might even have warned the American CISO that his HP Scanner was susceptible to WannaCry before it became infected. But it will also tell the company which should be fixed first.
Apart from the value of helping Security with the practicalities of genuine risk management, AI Discovery provides a further benefit. Used over time, it produces a valuable and accurate metric that CISOs can present to the Board as a demonstration and proof of the company's improving security posture.