Because they are not aware of all the assets comprising their total attack surfaces, many orgs fall victim to data breaches that technically are not “breaches” of their security controls. Instead, someone in the organization, often in violation of policy, has left vulnerable data assets somewhere out in cyberspace with inadequate controls on them. This leaves cybercriminals free to discover and exploit them without even launching an attack.
To discuss the challenges of attack surface management (ASM) and innovations to improve these capabilities, David Monnier, Chief Evangelist and Fellow at Team Cymru, joined a recent episode of The Virtual CISO Podcast features. John Verry, Pivot Point Security CISO and Managing Partner, hosts the show as usual.
Should the CISO be blamed?
In David’s view, distinctions about whether specific scenarios constitute data breaches is not mere semantics. Not only could it impact the interpretation of reporting laws, but also the reputation and job performance evaluation of a CISO and/or other security leaders.
“A lot of companies that have supposedly been breached, oftentimes that’s not the case at all,” David states. “They left their data someplace where someone else had access to it without any type of controls on it. And that type of data exposure… Luckily lawyers have started to get in front of this and get people to stop saying that word.”
A classic example of a “data exposure but not a data breach” starts when a developer who exports a live database of customer data to an AWS S3 bucket that has been given inadequate access controls.
“I know some very bright folks who have gone through the wringer as if they were responsible for a breach that, I would argue, technically they were not,” relates David. “In actuality, it was somebody else in the company who just disregarded policy altogether… What do you do for that? How do you know to know?”
This is where Team Cymru’s superior asset discovery capabilities come in handy.
It’s not easy being a CISO
John agrees that “technically” these data exposures might not be breaches, although breach notification requirements would generally consider them to be.
“There’s no difference to the people whose information might have been compromised,” John points out. “But there is a difference to the risk profile and the current security posture of the organization.”
Meanwhile, it falls on the CISO to draw that fine line between appropriate policy that gets the job done, too little policy that gets the org pwned, or a draconian policy that keeps work from happening.
“It’s not easy being a CISO—I think we can agree on that,” quips John.
To hear the complete show with David Monnier, click here.
What is the state of the art for rating the risk level of vulnerabilities for attack surface management purposes? This blog post explores the topic: How Attack Surface Management Calculates Attack Paths