In the last few weeks the biggest topic of discussion on everyone's mouth is the Equifax hack. For us at BinaryEdge this presented itself as an opportunity to do some testing on some of the work we've been developing when it comes to understanding a company exposure.
At the moment our work is focused 100% on cyberinsurance and developing certain features for this project:
Open-framework for IP Scoring - You might have read about this work on securityrating.io and you can check how the framework works and submit changes on github. Internally we can now also score domains.
Organization asset mapping - One of the biggest problems organizations have is understanding which assets they have and this becomes even harder when you take into account mergers and acquisitions. We have been working hard on a workflow that allows us to associate IP addresses and domains with specific companies. We keep on improving on this workflow everyday and it's getting better and better. But essentially it's what allows us to do this:
- Context - This is something we have been working on as a result of analysing the outputs of the two previous topics at large scale. We are working on trying to provide our scanners with context. Here is a simple example: We would like every website to have security headers, BUT for example if your local butcher's static website doesn't have CSP configured, it's not as bad as for example your bank where critical operations would be performed and sensitive data exchanged. This is not an easy problem but it's an important one and we intend to use the results from here to create a scoring system that is more dynamic and accurate.
We have also been developing one more thing, but that, right now is a bit of a surprise (and in itself deserves it's own blog post), we promise we will show it to you guys in a couple of weeks.
Back to Equifax.
As mentioned before, the moment we heard about the Equifax hack, we decided to test our combination of asset mapping and scoring. In one image this is what we got:
See that red dot on top? That is some of Equifax assets scoring a high risk on our framework.
We like using this methodology to easily get an overview of the security state of a company. After generating this image it got us thinking: What do the other companies that are in the same industry as Equifax look like?
And so we asked our platform.
It doesn't look like a good panorama. With Equifax being attacked, and the "loot" looking so good from the hackers perspective (>143 Million users data), we fear other companies in credit scoring industry will follow.
Looking in more detail, it seems these companies are running on old software that has not been updated in a while. We hope Equifax serves as an example and these organizations start updating and improving their security.