Cyber Resillience Report
What does it speak about?
Cyber resilience is the ultimate goal, final display, summary page of the cybersecurity. The cyber risk posture is a snapshot of the risk any given moment; if you take tens of thousands of risk posture snapshot and correlate it with forensics and apply AI, you end up with Cyber Resilience Risk.
According to Gartner, a leading research company, by 2025, 40% of programs will deploy socio-behavioral principles (such as nudge techniques) to influence security culture across the organization, up from less than 5% in 2021. And by 2025, 60% of organizations will use cybersecurity risk as a significant determinant in conducting third-party transactions and business engagements.
Tip
|
Any SMB, being a part of the larger supply chains, will require to provide risk scores. It is mandatory for the business continuity. |
Cyber Resilience Risk can be calculated from many different datasets, DefensX provides a user centric, behavioral cyber resilience risk scoring. With more than 30 data-probes deployed in a traditional web browsers individual risk profiles are created while the end user is performing their routine tasks. Which lets the enterprise/MSP to focus on what and who matters most. It simply reduces the noise and pinpoints the individuals who most probably be the reason of the next breach.
Cyber Risk = Likelihood × Impact
While calculating the Cyber Resilience Risk, DefensX carefully manages the end user data. No critical data ever leaves the web browser and end user’s device. Proprietary algorithms run on the web browser context to prepare data points locally and only the analytics calculation and AI touch happens in the cloud on the intermediate data. In example, for the password dark web analysis, DefensX uses algorithms to create one way hash to perform the lookup. Password information never leaved the end-point.
Following is an example report for 30 days of usage, where for an enterprise each individual employees are rated based on four main category: Password Hygiene, Social Engineering Risk, Malware Risk and Sensitive Data Exposure Risk.
It is possible to drill down to every single event that has caused a risk increase for the individual.
Password Hygine
Password Hygine report was based on the data points created DefensX Browser Extension. Our extension always monitor password entry fields in any website on the client side. When a user enter a password, extension do the following jobs:
-
Check whether the password included in a known data breach and get the pwned score anonymously
-
Calculate the strength of the password
How pwned score calculation works?
We’re using k-anonymity algorithm for checking the pwned database score for a given password. This is a proofed way of checking an item included in a database which is hosted on cloud without sending item or item’s full hash on the network. The same method also used internally by the Browser’s embedded password managers when they’re showing whether your saved passwords already included a data breach or not.
Here you can find good articles from Cloudflare and Pwned database system about how the flows working without exposing any information on the network.
In summary, checking a pwned score works like this:
-
Let’s assume that user entered the password
P@ssword!
-
SHA1 of the password calculated by our extension, in this case it will be
8093FA1D66B5F57ED694839E28C5D454D6A60DD2
-
But, we don’t want to send whole hash value to the internet for checking the database. We just getting only first five characters of the SHA1 hash value, which is
8093F
in this example -
Then we’re sending a request to pwned database with querying only the records which their SHA1 hash values starts with the same
8093F
. To do this, it is enough to gethttps://api.pwnedpasswords.com/range/8093F
url. You can do it even from your browser too, just use the first five chars when creating this url. -
Now you have a simple database which basically consist of remaining part of SHA1 hash which is only known by you locally and how many times it is occured in a data breach.
...
A1BF8B43DAE93F2980ED7C5C5453E21E53E:1
A1D66B5F57ED694839E28C5D454D6A60DD2:299
A1ED9C58A61F89969FC92FF0CE5D1B5CD46:6
...
-
We know our exact SHA1 hash and we only sent first five characters of it. Remaining 35 characters only known by us, which creates nearly infinite number of possibilities.
-
Now we need to strip out first five characters and take the remaining 35 chars, in our example it is
A1D66B5F57ED694839E28C5D454D6A60DD2
-
When we look at the contents here we will see that this pattern included in the second row above and after the colon we learn that this password which has the exact hash value already included in 299 data breach before.
As a result, we found the number without sending any meaningful information to the network. If the searched hash not found in this content, we can say that this password is not included any known data breach.
How password strength calculation works?
Choosing a good password is the first step of keeping our accounts safe. But latest development of the new hardwares specifically for graphics cards drammatically improved the calculated number of hash values. For example, if MD5 hash used for storing passwords a RTX 2080 GPU can find the password in given times:
Number of Chars | Upper and Lowercase Letters | + Numbers | + Symbols |
---|---|---|---|
6 |
INSTANTLY |
1 SEC |
5 SECS |
7 |
25 SECS |
1 MIN |
6 MINS |
8 |
22 MINS |
1 HOUR |
8 HOURS |
9 |
19 HOURS |
3 DAYS |
3 WEEKS |
10 |
1 MONTH |
7 MONTHS |
5 YEARS |
11 |
5 YEARS |
41 YEARS |
400 YEARS |
12 |
300 YEARS |
2000 YEARS |
34000 YEARS |
Tip
|
Even it seems that using 12 chars is a good option we need to remember that calculation done only one graphic card in this case. But, in this example assumed that MD5 hash used for storing password which is pretty common in 5 years ago. After increase the knowledge about this domain, newer hash algorithms also introduced which makes GPUs life even harder. For example, if Bcrypt or Scrypt algorithms used to store hash of the password, it is even safe to use some password just only consist of 10 characters. |
We are using zxcvbn algortihm to check strength of a given password inside of the extension. Algorithm used here developed by the Dropbox as an open-source project which you can download it from Github. It is a well known and widely used algorithm to provide strengthness information for the password under 5 categories:
-
Very Weak
-
Weak
-
Medium
-
Strong
-
Very Strong
Javascript version of the algorithm embedded in DefensX extension, so there is no need to send any information on the cloud to calculate the password strength value. You can also find much information about the method in the zxcvbn: Low-Budget Password Strength Estimation USENIX Security Symposium article.
Social Engineering
Social engineering in its shortest explanation is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. Each digital employee is a potential attack target for social engineering, also known as the layer-8 problem.
To better understand the risk attached to the social engineering, it is important to look at the attack life cycle:
DefensX follows the footsteps of the individual and scores each action according to the "what is the most important for an attacker" principle. Anything exposes information that can be used at the information gathering step, for instance, increases the risk score for the individual employee. Also the time spent in certain web services which are the main source for information gathering increases the risk.
Malware Risk
To be clear, DefensX is not focusing on the files themselves. On the contrary DefensX focuses on the human behavior towards the files on the Internet. EDR tools are best for assessing the risk for the files but leaves a great attack surface for the zero-days. They work aftermath because they require the malware to be deployed to do the analysis.
DefensX lays the human-malware risk monitoring layer as the frontier line of defense and let the enterprise understand the risk attached to individual behavior. For instance, downloading random power point files to copy/paste some slides is not anything EDR’s can or will tackle, but it is a great source of individuals behavior. Similarly, downloading files from Bulletin boards say a lot about the individual risk behavior.
DefensX data probes provide rich contextual information to be able to determine, which employee will most likely to become a victim of a malware and cause the next breach.
Sensitive Data
DefensX monitors the file uploads, passwords and similar data exposed over the Internet using web browsers. Individual actions taken during the monitoring period affects the sensitive data exposure risk score for the individual.