As security researchers and consultants, we often get asked, ‘How does the security of my organization compare to others?’. In this blog post, we introduce a metric to help answer this question: The Hackability Score. Based on the Hackability Score we deep-dive into the security of different regions and industries over a series of upcoming posts.
Motivation: How do we compare to our peer group?
From the perspective of a single organization, little information is available to judge your security posture compared to your industry, your region, or global best practices.
Assume, for instance, that your latest pentest found three issues: one instance of Heartbleed, and two accessible git folders. These findings are reason for concern as each can directly lead to data exposure. However, do these three issues make your organization weaker than the average of your peer group?
It turns out that you may still be doing better than most. On average, companies expose several thousand issues with high and critical severity for every million hosts on the Internet:
A large organization with “only” three critical issues is doing better-than-average for most industries. Being able to gauge where you stand compared to both industry and global best practices, is crucial to understanding from whom you can still learn in order to further improve your protections against hacking.
Making security comparable: SRLabs Hackability Score
To compare different organizations, we first normalize their security scores. Our approach is to compute a single score which summarizes the vulnerabilities that an organization exposes to the Internet.
A survey of the Internet provides insights into four relevant aspects of information security:
- Weak credentials and missing authentication reveal issues in a company’s identity and access management
- Unnecessary exposure to the Internet raises questions about security architecture
- Configuration issues show gaps in asset hardening
- Outdated software signals insufficient patch management
(As a measure from the Internet, the SRLabs Hackability Score does not provide direct insights into other relevant areas such as endpoint security and social engineering awareness. However, we are assuming that a security team who handles the four directly measurable areas well, will also, on average, perform well in related areas.)
Based on the issues found through an Internet scan, we compute an overall Hackability Score. The score gives more weight to critical severity (4) and high severity (3) issues, as these are typically the cause of a successful compromise:
As a simple example, an organization with only two assets exposed to the Internet, which have a total of three issues, has the following SRLabs Hackability Score:
Comparing Hackability across industries
In preparation for this research, we scanned over 5.000 companies across various geographies and industry verticals. Different industries show large differences in their Hackability:
As expected, industries that heavily invest in security, including Banking and Insurance, have lower-than-average Hackability Scores. Other industries, including Retail, achieve low Hackability by exposing relatively little technology to the Internet:
Let us explore the drivers of security evolution
Industries and companies that expose less technology on the Internet are generally less hackable from the Internet, likely at the cost of reaping fewer of the rewards of digitization. One question we will explore on this blog is how to square this circle of actively adopting new technology along with the value creating of digitization, while simultaneously keeping Hackability lower than your peer group.
We will learn what makes some companies and industries less hackable than others, which issue types are easiest to address, and how to maintain high protection from hacking during fast-paced digital transformations.