Is it fair to judge an organization's information security posture simply by looking at its Internet-facing assets for weaknesses commonly sought after and exploited by attackers, such as outdated software or accidentally exposed data and devices? Fair or not, a number of nascent efforts are using just such an approach to derive security scores for companies and entire industries. What's remarkable is how many organizations don't make an effort to view their public online assets as the rest of the world sees them -- until it's too late.
Image: US Chamber of Commerce.
For years, potential creditors have judged the relative risk of extending credit to consumers based in part on the applicant's credit score -- the most widely used being the score developed by FICO, previously known as Fair Isaac Corporation. Earlier this year, FICO began touting its Cyber Risk Score (PDF), which seeks to measure an organization's chances of experiencing a data breach in the next 12 months, based on a variety of measurements tied to the company's public-facing online assets.
In October, FICO teamed up with the U.S. Chamber of Commerce to evaluate more than 2,500 U.S. companies with the Cyber Risk Score, and then invited these companies to sign up and see how their score compares with that of other organizations in their industry. The stated use cases for the Cyber Risk Score include the potential for cyber insurance pricing and underwriting, and evaluating supply chain risk (i.e., the security posture of vendor partners).
The company-specific scores are supposed to be made available only to vetted people at the organization who go through FICO's signup process. But in a marketing email sent to FICO members on Tuesday advertising its new benchmarking feature, FICO accidentally exposed the FICO Cyber Risk Score of energy giant ExxonMobil.
The marketing email was quickly recalled and reissued in a redacted version, but it seems ExxonMobil's score of 587 puts it in the "elevated" risk category and somewhat below the mean score among large companies in the Energy and Utilities sector, which was 637. The October analysis by the Chamber and FICO gives U.S. businesses an overall score of 687 on a scale of 300-850.
Data accidentally released by FICO about the Cyber Risk Score for ExxonMobil.
How useful is such a score? Mike Lloyd, chief technology officer at RedSeal, was quoted as saying a score "taken from the outside looking in is similar to rating the fire risk to a building based on a photograph from across the street."
"You can, of course, establish some important things about the quality of a building from a photograph, but it's no substitute for really being able to inspect it from the inside," Lloyd told _Dark Reading _regarding the Chamber/FICO announcement in October.
Naturally, combining external scans with internal vulnerability probes and penetration testing engagements can provide organizations with a much more holistic picture of their security posture. But when a major company makes public, repeated and prolonged external security foibles, it's difficult to escape the conclusion that perhaps it isn't looking too closely at its internal security either.
Too bad the errant FICO marketing email didn't expose the current cyber risk score of big-three consumer credit bureau Equifax, which was relieved of personal and financial data on 148 million Americans last year after the company failed to patch one of its Web servers and then failed to detect an intrusion into its systems for months.
A 96-page report (PDF) released this week by a House oversight committee found the Equifax breach was "entirely preventable." For 76 days beginning mid May 2017, the intruders made more than 9,000 queries on 48 Equifax databases.
According to the report, the attackers were able to move the data off of Equifax's network undetected thanks to an expired security certificate. Specifically, "while Equifax had installed a tool to inspect network traffic for evidence of malicious activity, the expired certificate prevented that tool from performing its intended function of detecting malicious traffic."
Expired certificates aren't particularly rare or noteworthy, but when they persist in publicly-facing Web servers for days or weeks on end, it raises the question: Is anyone at the affected organization paying attention at all to security?
Given how damaging it was for Equifax to have an expired certificate, you might think the company would have done everything in its power to ensure this wouldn't happen again. But it would happen again -- on at least two occasions earlier this year.
In April 2018, KrebsOnSecurity pointed out that the Web site Equifax makes available for consumers who wish to freeze their credit files was using an expired certificate, causing the site to throw up a dire red warning page that almost certainly scared countless consumers away from securing their credit files.
It took Equifax two weeks to fix that expired cert. A week later, I found another expired certificate on the credit freeze Web portal for the National Consumer Telecommunications and Utilities Exchange -- a consumer credit bureau operated by Equifax.
One has to wonder what the median FICO Cyber Risk Score is for the credit bureau industry, because whatever Equifax's score is it can't be too different from that of its top competitor -- Experian, which is no stranger to data breaches.
On Tuesday, security researcher @notdan tweeted about finding a series of open directories on Experian's Web site. Open directories, in which files and folders on a Web server are listed publicly and clickable down to the last file, aren't terribly uncommon to find exposed on smaller Web sites, but they're not the sort of oversight you'd expect to see at a company with the size and sensitivity of Experian.
A directory listing that exposed a number of files on an Experian server.
Included in one of the exposed directories on the Experian server were dozens of files that appeared to be digital artifacts left behind by a popular Web vulnerability scanner Burp Suite. It's unclear whether those files were the result of scans run by someone within the company, or if they were the product of an unauthorized security probe by would-be intruders that somehow got indexed by Experian's servers (the latter possibility being far more concerning).
Experian did not respond to requests for comment, and the company disabled public access to the directories shortly after other researchers on Twitter began piling on to @notdan's findings with their own discoveries.
Evidence of data left behind by a Burp Suite Web vulnerability scan run against an Experian server.
As I noted in last week's story on the 4-year-long breach at Marriott that exposed personal and financial data on some 500 million guests, companies that have their heads screwed on correctly from an information security standpoint are run by leaders who are expecting the organization will get breached constantly through vulnerabilities, phishing and malware attacks.
They’re continuously testing their own internal networks and employees for weaknesses, and regularly drilling their breach response preparedness (much like a fire drill). They are finding creative ways to cut down on the volume of sensitive data that they need to store and protect. And they are segmenting their networks like watertight compartments in a ship, so that a breach in one part of the organization's digital hull can't spread to the rest of the vessel and sink the whole ship (it's worth noting the House oversight report observed that the lack of network segmentation was a major contributor to the Equifax breach).
But companies with advanced "security maturity" also are regularly taking a hard look at what their outward-facing security posture says to the rest of the world, fully cognizant that appearances matter -- particularly to ne'er-do-wells who tend to view public security weaknesses like broken windows, and as an invitation to mischief.