Any business operating on the internet with internet accessible services provides an opening for anyone else on the internet - good, bad, or indifferent - to interrogate those services and see what’s running.
Bad actors and security companies are always actively conducting reconnaissance to find vulnerabilities but often lack additional context. This additional context is what should give a security team the advantage over bad actors running scrapers or scanners on the internet looking to take advantage of those vulnerabilities.
Medium sized businesses should expect their larger customers and clients to contact them about potential vulnerabilities. Generally the requests fall into three categories, according to AlixPartners’ Bill Varhol.
- A news-worthy vulnerability that brings data at risk such as Heartbleed or Shellshock. Larger organizations are going to want to know what exactly is vulnerable and when is it going to be fixed.
- Vendor onboarding diligence usually through questionnaires or security companies. These will often involve smaller scale vulnerabilities such as missing spf records or weak cryptography. However they can also include un-reviewed and automated findings with higher rates of false positives such as email addresses found on websites
- Potential typo-squatting domains that a medium-sized business should be aware of
- Outdated browser versions
- Web-application vulnerabilities such as cookies without http-only flags
- A suspicious email seemingly originating from a domain owned by the medium sized business.
Listen to Bill’s guidance for how medium sized businesses should prepare to address security issues like these with customers and clients: