By Ran Nahmias, Co-Founder and CBO, Cyberpion
The concept of risk in enterprise IT is constantly evolving. And considering recent findings, it’s clear that there’s a risk frontier that’s been underestimated – Nth party risk.
Traditional enterprise risk management has focused on two domains: Internal risk and external (vendor) risk. Yet in an era of increasingly distributed, outsourced and long-tail remote IT infrastructure – it turns out that vendors and other third parties are just the tip of the external risk iceberg. What’s more, it turns out that third, fourth, fifth (and beyond…thus, the “Nth“) parties are not so external anymore, either. Here’s what I mean.
“External” Becomes “Internal”
The concept of “internal” and “external” has been evolving, too. How significantly? To find out, we recently conducted a survey of the public and internet-facing assets of every Fortune 500 company out there.
We discovered that nearly 75 percent of the IT infrastructure of a typical Fortune 500 company is external to the organization. Servers, cloud storage, content delivery networks (CDNs), domain name servers (DNS), email servers, cloud services, you name it — these are off-premises and typically owned or managed by an organization outside of the direct control of the enterprise.
A typical company IT ecosystem incorporates an average of no less than 126 different login pages (the highest number in our survey was more than 3,000). These logins are the entry points to all of the various online services in use by employees and customers. The organizations included in our survey also leverage an average of 951 cloud assets.
It’s clear that in today’s enterprise, the lines between external and internal are massively blurred. The users of an enterprise’s services only see its logo or brand, and not the hundreds of Nth-party organizations to which they are exposed. The average user may not have any understanding of the risks that may be lurking in the IT infrastructures of these Nth parties as well. As long as 75 percent of the world’s largest digital-centric businesses are working outside what we used to call the “perimeter wall,” the long tail of the enterprise digital supply chain extends a lot farther than many of us might have imagined.
Do You Know Your Nth Parties?
We’re all used to vetting and onboarding third-party vendors. But today, just like enterprises, each third-party vendor has its own digital supply chain. These are vendors that provide the services and infrastructure that keep your vendors’ businesses running. And each of these vendors has its own vendors…and so on down the chain.
This means that the actual extent of the ecosystem that comprises three-quarters of the digital heart of a given enterprise is orders of magnitude larger than just the third parties we have a direct, contractual or business relationship with.
We call this long-tail ecosystem the “Nth-party ecosystem.” From a purely technical and business point of view, it works well. Everyone gets the services they need quickly, cost-effectively and without the need for the overhead and headache of in-house infrastructure and expertise. It’s the economic concept of specialization gone digital, and it’s driving enterprise digital transformation.
Unfortunately, there’s a catch. Security is the Achilles heel of the Nth-party ecosystem. While security teams are focused on what is, in reality, only 25 percent of an enterprise’s true IT infrastructure, threat actors are targeting much of the remaining 75 percent. How much, exactly? Read on…
Oops…Yeah, That’s Not Secure
In the survey we conducted, much of the Fortune 500 digital supply chain fell far short of security expectations. In fact, nearly 25 percent of the Nth-party ecosystem and enterprise cloud assets are at risk or contain known vulnerabilities.
The average number of vulnerabilities we discovered per Fortune 500 company was 296 (with the top of the scale weighing in at a staggering 7,500). What’s more, more than 6 percent of these vulnerabilities are considered “critical” – meaning they could carry severe consequences or quickly be exploited to impact the organization.
This means that today, as I write these lines, at least a quarter of the Fortune 500 Nth-party ecosystem lies completely exposed to the types of breaches we’re seeing regularly in the news – loss of operational control, ransomware shutdowns, loss of property and data, brand reputation damage and more. And nearly one in 10 of these are literally ticking cyber-timebombs.
What’s more, the 10 percent of the login pages mentioned above are considered insecure due to the transmission of unencrypted login data or issues with SSL certificates. Additionally, 30 percent allow transmission over HTTP, and 12 percent have invalid certificates or encryption. Hackers exploiting these logins could access a wealth of sensitive employee or customer data.
Decreasing the Nth Party Attack Surface: Start with Visibility
Clearly, a new paradigm is required to address the dangers of Nth-party risk. Gartner calls this External Attack Surface Management, and claims that “EASM is an emerging concept that is growing quickly in terms of awareness within the security vendor community, but at a slower pace within end-user organizations.”1
So, what’s the first step toward mitigating this new frontier of enterprise risk? We recommend the simple first: Visibility. You can’t protect what you can’t see. Without a granular knowledge of the total inventory and volume of assets they are connected to, enterprises can’t even quantify exposure to Nth-party vulnerabilities – let alone identify and mitigate risks.
Threat actors are finding it ever easier to exploit vulnerabilities in Nth-party assets and then travel upstream through the enterprise ecosystem to carry out potentially crippling attacks. Highly distributed, outsourced and long-tail remote IT infrastructure demands a reevaluation of the tools and methodologies used to address and overcome both existing and emerging Nth-party ecosystem threats.